15-09-2023 04:02 PM - edited 18-09-2023 04:32 PM
A new security vulnerability (CVE-2023-4863) has been identified impacting major web browsers. Xplan is vulnerable to CVE-2023-4863 but we have not identified any exploitation of our software. We have included a security patch in the latest version of Xplan which has just been released.
Those on auto-updates do not need to do anything - you will receive the latest version over the weekend. If you are not on auto-update, please upgrade to the latest version.
About the vulnerability
Citizen Lab has recently disclosed CVE-2023-4863, the most recent zero-day vulnerability. The vulnerability was discovered in WebP, an image file format developed by Google and supported by other web browser makers. The security vulnerability impacts Google Chrome versions prior to 116.0.5845.187 and allows a remote attacker to perform an out-of-bounds memory write through a malicious WebP image. Researchers uncovered the vulnerability was utilized to deploy the Pegasus spyware developed by NSO Group.
Although Iress have not identified any exploitation of our software at this stage, we have taken immediate preventative measures to ensure our software has been patched to remove our exposure to CVE-2023-4863. We now also strongly recommend that clients take the latest release as a priority.
Is Xplan vulnerable to CVE-2023-4863?
Yes, Xplan runs on the Ubuntu operating system and uses LibreOffice software to generate Xmerge reports. Both of these applications were vulnerable and have released a patch to mitigate the vulnerability.
Has Xplan been patched and secured?
Yes, we have patched Xplan’s Ubuntu operating system in Xplan release 23.9.289, and strongly recommend all clients upgrade to this release as of 15 Sep 2023. A bespoke patched version of LibreOffice 7.6.1 has been deployed to the Xplan reporting service already and no action is required.
Are there any other software/applications in Xplan vulnerable to CVE-2023-4863 issues?
As of now LibreOffice and Ubuntu are the systems we have identified as vulnerable. Both have been patched. We continue to investigate and assess any downstream dependencies and vendor integrations for the vulnerability.
What is the ask from the clients?
Clients are strongly recommended to upgrade their Xplan with the latest Xplan version which was released today.
Iress is a technology company providing software to the financial services industry.
Our software is used by more than 9,000 businesses and 500,000 users globally.