Palo Alto Networks Security Advisories / PAN-SA-2024-0011

PAN-SA-2024-0011 Chromium: Monthly Vulnerability Updates

047910
Severity 8.6 · HIGH
Urgency MODERATE
Response Effort LOW
Recovery AUTOMATIC
Value Density DIFFUSE
Attack Vector NETWORK
Attack Complexity LOW
Attack Requirements NONE
Automatable NO
User Interaction ACTIVE
Product Confidentiality HIGH
Product Integrity HIGH
Product Availability HIGH
Privileges Required NONE
Subsequent Confidentiality NONE
Subsequent Integrity NONE
Subsequent Availability NONE
JSON
Published 2024-10-09
Updated 2024-10-09
Reference
Discovered externally

Description

Palo Alto Networks incorporated the following Chromium security fixes into its products:

- https://chromereleases.googleblog.com/2024/09/stable-channel-update-for-desktop_17.html

- https://chromereleases.googleblog.com/2024/09/stable-channel-update-for-desktop_24.html

- https://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop.html

- https://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_8.html

CVECVSSSummary
CVE-2024-8904Type Confusion in V8.
CVE-2024-8905Inappropriate implementation in V8.
CVE-2024-89064.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)Incorrect security UI in Downloads.
CVE-2024-89076.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)Insufficient data validation in Omnibox.
CVE-2024-89084.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)Inappropriate implementation in Autofill.
CVE-2024-89094.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)Inappropriate implementation in UI.
CVE-2024-9120Use after free in Dawn.
CVE-2024-9121Inappropriate implementation in V8.
CVE-2024-9122Type Confusion in V8.
CVE-2024-9123Integer overflow in Skia.
CVE-2024-7025Integer overflow in Layout.
CVE-2024-9369Insufficient data validation in Mojo.
CVE-2024-9370Inappropriate implementation in V8.
CVE-2024-9602Type Confusion in V8.
CVE-2024-9603Type Confusion in V8.

Product Status

VersionsAffectedUnaffected
Prisma Access Browser < 129.59.2896.5>= 129.101.2913.3

Severity: HIGH

CVSSv4.0 Base Score: 8.6 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:N/R:A/V:D/RE:L/U:Amber)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Solution

CVE-2024-8904, CVE-2024-8905, CVE-2024-8906, CVE-2024-8907, CVE-2024-8908, and CVE-2024-8909 are fixed in Prisma Access Browser 129.59.2896.5, and all later Prisma Access Browser versions.

CVE-2024-9120, CVE-2024-9121, CVE-2024-9122, and CVE-2024-9123 are fixed in Prisma Access Browser 129.71.2910.1, and all later Prisma Access Browser versions.

CVE-2024-7025, CVE-2024-9369, and CVE-2024-9370 are fixed in Prisma Access Browser 129.90.2910.2, and all later Prisma Access Browser versions.

CVE-2024-9602 and CVE-2024-9603 are fixed in Prisma Access Browser 129.101.2913.3, and all later Prisma Access Browser versions.

Timeline

Initial publication
Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure PolicyReport vulnerabilitiesManage subscriptions
© 2024 Palo Alto Networks, Inc. All rights reserved.