<style>p { margin: 0 0 10px; }h1, h2, h3 { margin: 20px 0 10px; }h4, h5, h6 { margin: 10px 0 10px; }</style><h4 id="the-issue-is-resolved-as-of-version-2.170.1-see-update-31102024-for-more-information"><strong>The issue is resolved as of version 2.170.1 see <em>Update 31/10/2024</em> for more information</strong></h4> <hr /> <h4 id="general-information">General Information</h4> <p>This article contains frequently asked questions relating to the heap buffer overflow vulnerability affecting libwebp. On September 11, 2023, Google published a <a href="https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html">stable channel update</a> to address the vulnerability with weblibp and assigned CVE-2023-4863 to track this vulnerability.</p> <p>libwebp is the library used to allow programs to support the WebP file format and is a part of Google's Chromium project.</p> <h4 id="update-31102024">Update 31/10/2024:</h4> <p>Changes were made in the third-party component to utilise an updated version of the Chromium engine runtime to fix the vulnerability, this change also reverts the mitigations put in place by previous patches as detailed below.<br /> <strong>This patch is in version 2.170.1 onwards.</strong></p> <h4 id="update-22032024">Update 22/03/2024:</h4> <p>Changes made to the &quot;Print Ticket&quot; functionality to replace images with a link to the images, instead of removing them altogether.<br /> Available in version 2.143.31 onwards.</p> <h4 id="update-29012024">Update 29/01/2024:</h4> <p>Changes made to the &quot;Print Ticket&quot; functionality so that the PDF can still be created but any images will be removed.<br /> Available in version 2.132.51 onwards.</p> <h4 id="update-03102023">Update 03/10/2023:</h4> <p>A third-party component that the Halo API uses to generate PDF documents from Html uses a version of Chromium that is not currently up to date (116.0.5845.188) and therefore is susceptible to the issue identified in CVE-2023-4863 if images are rendered from an untrusted source.</p> <p>Since the &quot;Print Ticket&quot; functionality utilises this component and renders HTML that can contain images which can be sent from an untrusted source, for example, an email into a ticket, this is susceptible to the issue identified in CVE-2023-4863.</p> <p>To prevent this issue from being exploited, Halo has taken the necessary step to temporarily disable the rendering of this untrusted HTML in the &quot;Print Ticket&quot; functionality. Any HTML notes that would have been rendered when the PDF is generated will instead render the plain text version of the note. This means the note will still show but without any images or formatting.</p> <p>This is a short-term workaround for the issue. Once our supplier has released an update to the impacted component which will address this issue, Halo will update the impacted component and release a patch which will restore the Print Ticket functionality to how it was before, where HTML notes will render.</p> <h3 id="are-hosted-halo-instances-affected">Are hosted Halo instances affected?</h3> <p>Hosted customers will be automatically updated to a patch to resolve this issue, and therefore no action is required by hosted customers.</p> <h3 id="are-on-prem-halo-instances-affected">Are On-Prem Halo instances affected?</h3> <p>Halo On-Prem installations should apply the latest stable or beta patch to their Halo instance to resolve this issue.</p> <h3 id="next-steps">Next Steps</h3> <p>No action is required on the part of our customers. Halo is in communication with suppliers of third party components to ensure their integrity and will update accordingly.</p> <p>We will continue to monitor our business infrastructure to ensure the same level of service and security that you expect.</p> <h3 id="links">Links</h3> <p><a href="https://nvd.nist.gov/vuln/detail/CVE-2023-4863">https://nvd.nist.gov/vuln/detail/CVE-2023-4863</a><br /> <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-5129">https://nvd.nist.gov/vuln/detail/CVE-2023-5129</a></p>