Please sign in or register to access software information via the Iress Community.
- Home
- Welcome
- Help
- Iress Open
- Iress Labs
- From Iress
Hello there!
More great content is available for our registered community members, log in now to take a look.
Log in
Log in using your Iress Community username and password. Your username will be shown to you in your activation email.
Log in to Community
OR
Sign up
If you are navigating here straight from our software,
click to Register. If not, find out how to register here
Create New Account
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Iress Notifications
Key updates from across Iress
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Iress Community
- :
- Iress Community Knowledge Base
- :
- From Iress Knowledge Base
- :
- Iress Notifications
- :
- CVE-2023-4863 Vulnerability and Xplan
CVE-2023-4863 Vulnerability and Xplan
15-09-2023 04:02 PM - edited 18-09-2023 04:32 PM
A new security vulnerability (CVE-2023-4863) has been identified impacting major web browsers. Xplan is vulnerable to CVE-2023-4863 but we have not identified any exploitation of our software. We have included a security patch in the latest version of Xplan which has just been released.
Those on auto-updates do not need to do anything - you will receive the latest version over the weekend. If you are not on auto-update, please upgrade to the latest version.
About the vulnerability
Citizen Lab has recently disclosed CVE-2023-4863, the most recent zero-day vulnerability. The vulnerability was discovered in WebP, an image file format developed by Google and supported by other web browser makers. The security vulnerability impacts Google Chrome versions prior to 116.0.5845.187 and allows a remote attacker to perform an out-of-bounds memory write through a malicious WebP image. Researchers uncovered the vulnerability was utilized to deploy the Pegasus spyware developed by NSO Group.
Although Iress have not identified any exploitation of our software at this stage, we have taken immediate preventative measures to ensure our software has been patched to remove our exposure to CVE-2023-4863. We now also strongly recommend that clients take the latest release as a priority.
Is Xplan vulnerable to CVE-2023-4863?
Yes, Xplan runs on the Ubuntu operating system and uses LibreOffice software to generate Xmerge reports. Both of these applications were vulnerable and have released a patch to mitigate the vulnerability.
Has Xplan been patched and secured?
Yes, we have patched Xplan’s Ubuntu operating system in Xplan release 23.9.289, and strongly recommend all clients upgrade to this release as of 15 Sep 2023. A bespoke patched version of LibreOffice 7.6.1 has been deployed to the Xplan reporting service already and no action is required.
Are there any other software/applications in Xplan vulnerable to CVE-2023-4863 issues?
As of now LibreOffice and Ubuntu are the systems we have identified as vulnerable. Both have been patched. We continue to investigate and assess any downstream dependencies and vendor integrations for the vulnerability.
What is the ask from the clients?
Clients are strongly recommended to upgrade their Xplan with the latest Xplan version which was released today.
0
Kudos
Iress is a technology company providing software to the financial services industry.
Our software is used by more than 9,000 businesses and 500,000 users globally.
Trust
© Iress 2024. All rights reserved