CVE-2023-42917: Apple Multiple Products WebKit Memory Corruption Vulnerability
First published: Thu Nov 30 2023(Updated: )
A memory corruption vulnerability was addressed with improved locking. This issue is fixed in iOS 17.1.2 and iPadOS 17.1.2, macOS Sonoma 14.1.2, Safari 17.1.2. Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1.
Credit: product-security@apple.com product-security@apple.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/webkitgtk | <2.42.3 | 2.42.3 |
| Apple macOS Sonoma | <14.1.2 | 14.1.2 |
| Apple iOS | <17.1.2 | 17.1.2 |
| Apple iPadOS | <17.1.2 | 17.1.2 |
| Apple Safari | <17.1.2 | 17.1.2 |
| Apple iOS | <15.8.1 | 15.8.1 |
| Apple iPadOS | <15.8.1 | 15.8.1 |
| Apple iPhone | ||
| Apple Mac | ||
| Apple TV | ||
| Apple watch | ||
| Apple iOS | <16.7.3 | 16.7.3 |
| Apple iPadOS | <16.7.3 | 16.7.3 |
| debian/webkit2gtk | <=2.36.4-1~deb10u1<=2.38.6-0+deb10u1<=2.42.2-1~deb11u1<=2.42.2-1~deb12u1 | 2.42.5-1~deb11u1 2.42.5-1~deb12u1 2.42.5-1 2.44.1-1 |
| debian/wpewebkit | <=2.38.6-1~deb11u1<=2.38.6-1 | 2.42.5-1 2.44.1-1 |
| ubuntu/webkit2gtk | <2.42.3-0ubuntu0.22.04.1 | 2.42.3-0ubuntu0.22.04.1 |
| ubuntu/webkit2gtk | <2.42.3-0ubuntu0.23.04.1 | 2.42.3-0ubuntu0.23.04.1 |
| ubuntu/webkit2gtk | <2.42.3-0ubuntu0.23.10.1 | 2.42.3-0ubuntu0.23.10.1 |
| ubuntu/webkit2gtk | <2.42.3-1 | 2.42.3-1 |
| ubuntu/webkit2gtk | <2.42.3 | 2.42.3 |
| Apple Safari | <17.1.2 | |
| Apple iPadOS | <15.8.1 | |
| Apple iPadOS | >=16.0<16.7.3 | |
| Apple iPadOS | >=17.0<17.1.2 | |
| Apple iPhone OS | <15.8.1 | |
| Apple iPhone OS | >=16.0<16.7.3 | |
| Apple iPhone OS | >=17.0<17.1.2 | |
| Apple macOS | >=14.0<14.1.2 | |
| Debian Debian Linux | =11.0 | |
| Debian Debian Linux | =12.0 | |
| Fedoraproject Fedora | =38 | |
| Fedoraproject Fedora | =39 | |
| Webkitgtk Webkitgtk\+ | <2.42.3 | |
| Apple watchOS | <10.2 | 10.2 |
| Apple tvOS | <17.2 | 17.2 |
| Apple Multiple Products |
Remedy
Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://support.apple.com/en-us/HT214032 (Advisory)
- https://support.apple.com/en-us/HT214031 (Advisory)
- https://support.apple.com/en-us/HT214033 (Advisory)
- https://www.bleepingcomputer.com/news/security/cisa-warns-of-patched-iphone-kernel-bug-now-exploited-in-attacks/
- http://www.openwall.com/lists/oss-security/2023/12/05/1
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AD2KIHHCUBQC2YYH3FJWAHI5BG3QETOH/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P5LQS6VEI7VIZNC7QGQ62EOV45R5RJIR/
- https://www.debian.org/security/2023/dsa-5575
- http://seclists.org/fulldisclosure/2023/Dec/3
- http://seclists.org/fulldisclosure/2023/Dec/4
- http://seclists.org/fulldisclosure/2023/Dec/5
- http://seclists.org/fulldisclosure/2023/Dec/8
- http://seclists.org/fulldisclosure/2023/Dec/12
- http://seclists.org/fulldisclosure/2023/Dec/13
- https://security.gentoo.org/glsa/202401-04
- http://seclists.org/fulldisclosure/2024/Jan/35
- https://launchpad.net/bugs/cve/CVE-2023-42917
- https://support.apple.com/en-us/HT214062 (Advisory)
- https://support.apple.com/en-us/HT214034 (Advisory)
- https://webkitgtk.org/security/WSA-2023-0011.html
- https://security-tracker.debian.org/tracker/CVE-2023-42917
- https://ubuntu.com/security/notices/USN-6545-1
- https://www.cve.org/CVERecord?id=CVE-2023-42917
- https://nvd.nist.gov/vuln/detail/CVE-2023-42917
- https://ubuntu.com/security/CVE-2023-42917
- https://support.apple.com/kb/HT214033
- https://support.apple.com/kb/HT214034
- https://support.apple.com/kb/HT214062
- https://support.apple.com/en-us/HT214041 (Advisory)
- https://support.apple.com/en-us/HT214040 (Advisory)
- https://support.apple.com/en-us/HT214031,
- https://support.apple.com/en-us/HT214032,
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2253059
- https://access.redhat.com/errata/RHSA-2023:7715
- https://access.redhat.com/errata/RHSA-2023:7716
- https://access.redhat.com/errata/RHSA-2024:8492
- https://access.redhat.com/errata/RHSA-2024:8496
- https://access.redhat.com/errata/RHSA-2024:9646
- https://access.redhat.com/errata/RHSA-2024:9653
- https://access.redhat.com/errata/RHSA-2024:9680
- https://access.redhat.com/errata/RHSA-2024:9679
- https://bugzilla.redhat.com/show_bug.cgi?id=2253058
Parent vulnerabilities
(Appears in the following advisories)
Peer vulnerabilities
(Found alongside the following vulnerabilities)
- CVE-2023-42916
- CVE-2023-42917
- CVE-2022-48618
- CVE-2024-23222
- CVE-2023-42919
- CVE-2023-42896
- CVE-2023-42884
- CVE-2023-42962
- CVE-2023-42922
- CVE-2023-42899
- CVE-2023-42974
- CVE-2023-42914
- CVE-2023-42893
- CVE-2023-42883
- CVE-2023-42937
- CVE-2023-42898
- CVE-2023-42888
- CVE-2023-42936
- CVE-2023-42947
- CVE-2023-40389
- CVE-2023-42890
- CVE-2023-42950
Frequently Asked Questions
What is CVE-2023-42917?
CVE-2023-42917 is a memory corruption vulnerability in WebKit that allows for arbitrary code execution.
Which Apple products are affected by CVE-2023-42917?
Apple Safari, macOS Sonoma, iOS, and iPadOS versions up to and including 17.1.2 are affected by CVE-2023-42917.
How was CVE-2023-42917 fixed?
CVE-2023-42917 was fixed with improved locking in iOS 17.1.2 and iPadOS 17.1.2, macOS Sonoma 14.1.2, and Safari 17.1.2.
Is there a remedy available for CVE-2023-42917?
Yes, the remedy for CVE-2023-42917 is to update to iOS 17.1.2 and iPadOS 17.1.2, macOS Sonoma 14.1.2, or Safari 17.1.2.
Where can I find more information about CVE-2023-42917?
You can find more information about CVE-2023-42917 in the following references: - [Apple Support - HT214031](https://support.apple.com/en-us/HT214031) - [Apple Support - HT214033](https://support.apple.com/en-us/HT214033) - [Apple Support - HT214032](https://support.apple.com/en-us/HT214032)
- agent/type
- agent/first-publish-date
- agent/author
- agent/remedy
- agent/title
- agent/weakness
- collector/apple-support
- source/Apple
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/bleeping-computer
- source/BleepingComputer
- alias/CVE-2022-48618
- alias/CVE-2024-23222
- alias/CVE-2023-42916
- alias/CVE-2023-42917
- agent/severity
- collector/launchpad-cve
- source/Launchpad
- agent/news-ai
- collector/security-tracker-debian
- source/Debian
- collector/usn-cve
- source/Ubuntu
- agent/description
- collector/nvd-api
- source/NVD
- collector/mitre-cve
- source/MITRE
- exploited/true
- collector/cisa-known-exploited
- source/CISA
- agent/event
- agent/softwarecombine
- collector/redhat-bugzilla
- source/Red Hat
- agent/references
- agent/tags
- collector/nvd-cve
- agent/last-modified-date
- agent/trending
- vendor/apple
- canonical/apple macos sonoma
- canonical/apple ios
- canonical/apple ipados
- canonical/apple safari
- canonical/apple iphone
- canonical/apple mac
- canonical/apple tv
- canonical/apple watch
- package-manager/debian
- package-manager/ubuntu
- version/apple ipados/16.0
- version/apple ipados/17.0
- canonical/apple iphone os
- version/apple iphone os/16.0
- version/apple iphone os/17.0
- canonical/apple macos
- version/apple macos/14.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/11.0
- version/debian debian linux/12.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/38
- version/fedoraproject fedora/39
- vendor/webkitgtk
- canonical/webkitgtk webkitgtk\+
- canonical/apple watchos
- canonical/apple tvos
- canonical/apple multiple products
- package-manager/redhat