Description
There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:
- Mozilla developers reported memory safety bugs present in Firefox 70 and Firefox ESR 68.2. Some of these
bugs showed evidence of memory corruption and we presume that with enough effort some of these could have
been exploited to run arbitrary code. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3,
and Firefox < 71. (CVE-2019-17012)
- The plain text serializer used a fixed-size array for the number of <ol> elements it could process;
however it was possible to overflow the static-sized array leading to memory corruption and a potentially
exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71.
(CVE-2019-17005)
- When using nested workers, a use-after-free could occur during worker destruction. This resulted in a
potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and
Firefox < 71. (CVE-2019-17008)
- When running, the updater service wrote status and log files to an unrestricted location; potentially
allowing an unprivileged process to locate and exploit a vulnerability in file handling in the updater
service. *Note: This attack requires local system access and only affects Windows. Other operating systems
are not affected.*. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71.
(CVE-2019-17009)
- Under certain conditions, when checking the Resist Fingerprinting preference during device orientation
checks, a race condition could have caused a use-after-free and a potentially exploitable crash. This
vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71. (CVE-2019-17010)
Solution
Update the firefox-esr library and its related packages to version 68.3.0-r0 or later.
Plugin Details
Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security
Risk Information
Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
Vulnerability Information
Exploit Ease: Exploits are available
Vulnerability Publication Date: 12/3/2019