ALASFIREFOX-2024-031

Amazon Linux 2 Security Advisory: ALASFIREFOX-2024-031
Advisory Release Date: 2024-10-24 16:45 Pacific
Advisory Updated Date: 2024-10-31 16:00 Pacific
Severity: Important
Issue Overview:

A compromised content process could have allowed for the arbitrary loading of cross-origin pages. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131. (CVE-2024-9392)

An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://pdf.js` origin. This could allow them to access cross-origin PDF content. This access is limited to "same site" documents by the Site Isolation feature on desktop clients, but full cross-origin access is possible on Android versions. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131. (CVE-2024-9393)

An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://devtools` origin. This could allow them to access cross-origin JSON content. This access is limited to "same site" documents by the Site Isolation feature on desktop clients, but full cross-origin access is possible on Android versions. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131. (CVE-2024-9394)

Memory safety bugs present in Firefox 130, Firefox ESR 115.15, Firefox ESR 128.2, and Thunderbird 128.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131. (CVE-2024-9401)

An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild. This vulnerability affects Firefox < 131.0.2, Firefox ESR < 128.3.1, and Firefox ESR < 115.16.1. (CVE-2024-9680)


Affected Packages:

firefox


Note:

This advisory is applicable to Amazon Linux 2 - Firefox Extra. Visit this page to learn more about Amazon Linux 2 (AL2) Extras and this FAQ section for the difference between AL2 Core and AL2 Extras advisories.


Issue Correction:
Run yum update firefox to update your system.

New Packages:
aarch64:
    firefox-115.16.1-1.amzn2.0.1.aarch64
    firefox-debuginfo-115.16.1-1.amzn2.0.1.aarch64

src:
    firefox-115.16.1-1.amzn2.0.1.src

x86_64:
    firefox-115.16.1-1.amzn2.0.1.x86_64
    firefox-debuginfo-115.16.1-1.amzn2.0.1.x86_64

Additional References

Red Hat: CVE-2024-9392, CVE-2024-9393, CVE-2024-9394, CVE-2024-9401, CVE-2024-9680

Mitre: CVE-2024-9392, CVE-2024-9393, CVE-2024-9394, CVE-2024-9401, CVE-2024-9680