The vulnerability of the libwebp program library is not exploitable in the WYS Platform - nevertheless, we recommend updating the maintenance tool with a security patch

Date
29.09.2023

The libwebp program library has a critical vulnerability (CVE-2023-5129 and CVE-2023-4863). The vulnerability becomes possible if a browser using the library loads a malicious web page.

The WYS Platform installation package includes a maintenance tool that uses the library in question. The vulnerability cannot be used in the tool because the tool only connects to the local WYS Platform and does not have access to the Internet. In addition, the tool is only available to local WYS Platform administrators; it is therefore not needed for daily use of the Platform.

The security patch with update instructions will be available from September 29, 2023. The WYS Platform maintenance tool is not running by itself and does not need to be started before the update. The security patch does not require updating the entire WYS Platform, but updating the tool is sufficient.

You can get the security patch with the update instructions by emailing helpdesk[at]wys.fi.


More information about the vulnerability is available in Finnish in National Cyber Security Centre's bulletin https://www.kyberturvalliskeskus.fi/fi/haavoittuvuus_17/2023