Zultys Security Advisory Notice - SAN23-002 Rev 1.1
Webp Vulnerability - Impact on Zultys UC Clients (CVE-2023-4863)
WebZAC – depends on the web browser used
MX Mobile for iPhone – depends on operating system
Zultys Mobile for Android – depends on operating system
ZAC – up to and including version 8.4.32
WebZAC – vulnerability depends on the web browser used
MX Mobile (iOS) – vulnerability depends on the underlying iOS operating system
Zultys Mobile for Android – vulnerability depends on the underlying Android operating system
Products Not Impacted
MX-SE, MX-SE II, MX-E, MX-Virtual systems
A significant vulnerability in the Webp image processing library has been reported by Google (CVE-2023-4863).
The related ‘libwebp’ software is a third-party library used in many software applications including the ZAC client, web browsers such as Google Chrome, Mozilla Firefox and Microsoft Edge, Apple iOS and Android operating systems.
ZAC – Zultys has released an updated version of ZAC (8.4.33) which includes an updated libwebp version that resolves the vulnerability reported in CVE-2023-4863. For optimal security, Zultys recommends customers upgrade to the latest ZAC version. The latest ZAC version may be downloaded from https://www.zultys.com/zac or the KBS (https://kbs.zultys.com).
WebZAC – Exposure to vulnerability is dependent on the underlying web browser being used. Update web browser to a version containing a fix for CVE-2023-4863, refer to your web browser vendor for additional information.
MX Mobile for iPhone – Exposure to vulnerability is dependent on the underlying Apple operating system. Update iPhone to a version containing a fix for CVE-2023-4863, refer to phone vendor for additional information.
Zultys Mobile for Android – Exposure to vulnerability is dependent on the underlying Android operating system. Update Android device to a version containing a fix for CVE-2023-4863, refer to phone vendor for additional information.
Customers should ensure that they use an updated web browser incorporating a fix for CVE-2023-4863 to access all web applications.
For ZAC, the softphone in version 8.0.x and later is compatible with MX Release 16.0.4 and later (Release 16.0.4 requires a patch incorporating improvement MX-5313). Customers upgrading from a ZAC version prior to 8.0.x to 8.4.33 that utilize the softphone, must ensure the MX system is running version 16.0.4 or later and the networking requirements detailed in the ZAC 8.4 User Manual are met.
For cases where it is not feasible to immediately upgrade to ZAC 8.4.33, support for Webp format images may be disabled in ZAC 8.4.32 and earlier by deleting (or renaming) the ‘qweb.dll’ file located in the ‘imageformats’ folder of the ZAC installation folder. On a Windows PC this will generally be C:\Program Files (x86)\Zultys\ZAC\imageformats.
Initial Security Advisory Notice.
Updates to formatting of advisory.