Return to page

10/04/2023 - Update on H2O’s response to CVE-2023-4863

The H2O.ai team analyzed and assessed the impact of the vulnerability CVE-2023-4863 and implemented necessary changes in the H2O.ai ecosystem that were propagated to H2O.ai Managed Cloud and incorporated into the coming 23.10 release. 


For any additional questions, please, reach out to H2O.ai support at support@h2o.ai.

 

 

09/28/2023 - H2O’s response to CVE-2023-4863

The H2O.ai team continues to investigate and evaluate the heap buffer overflow in libwebp native library reported as the vulnerability (CVE-2023-4863).

The library libwebp processes the images in WebP format that is employing both lossy and lossless compression.

 

Versions Affected: all libwebp versions < 1.3.2

Fixed Version: 1.3.2

 

The vulnerability was first reported by Apple Security Engineering and Architecture (SEAR) and The Citizen Lab at The University of Torontoʼs Munk School on 09/06/2023 and confirmed by various web browsers (for example, Mozilla, Chrome). If exploited, a buffer overflow in parsing WebP images may result in the execution of arbitrary code.

 

As soon as H2O.ai learned of this vulnerability, we promptly started to evaluate all our released software versions and cloud-hosted systems to determine what might be impacted. This page will be updated with findings and remediations.

 

For any additional questions, reach out to H2O.ai support at support@h2o.ai.

 

Sincerely,

H2O.ai Customer Support