Palo Alto Networks Security Advisories / PAN-SA-2024-0016

PAN-SA-2024-0016 Chromium: Monthly Vulnerability Updates

Urgency MODERATE

047910
Severity 8.6 · HIGH
Response Effort LOW
Recovery AUTOMATIC
Value Density DIFFUSE
Attack Vector NETWORK
Attack Complexity LOW
Attack Requirements NONE
Automatable NO
User Interaction ACTIVE
Product Confidentiality HIGH
Product Integrity HIGH
Product Availability HIGH
Privileges Required NONE
Subsequent Confidentiality NONE
Subsequent Integrity NONE
Subsequent Availability NONE

Description

Palo Alto Networks incorporated the following Chromium security fixes into its products:

- https://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_15.html

- https://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_22.html

- https://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_29.html

- https://chromereleases.googleblog.com/2024/11/stable-channel-update-for-desktop.html

CVECVSSSummary
CVE-2024-102298.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N)Inappropriate implementation in Extensions
CVE-2024-102308.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)Type Confusion in V8
CVE-2024-102318.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)Type Confusion in V8
CVE-2024-10487Out of bounds write in Dawn
CVE-2024-10488Use after free in WebRTC
CVE-2024-99548.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)Use after free in AI
CVE-2024-9955Use after free in WebAuthentication
CVE-2024-9956Inappropriate implementation in WebAuthentication
CVE-2024-9957Use after free in UI
CVE-2024-99584.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)Inappropriate implementation in PictureInPicture
CVE-2024-9959Use after free in DevTools
CVE-2024-9960Use after free in Dawn
CVE-2024-9961Use after free in ParcelTracking
CVE-2024-99624.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)Inappropriate implementation in Permissions
CVE-2024-99634.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)Insufficient data validation in Downloads
CVE-2024-99644.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)Inappropriate implementation in Payments
CVE-2024-99658.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)Insufficient data validation in DevTools
CVE-2024-99665.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)Inappropriate implementation in Navigations
CVE-2024-10826Use after free in Family Experiences.
CVE-2024-10827Use after free in Serial.

Product Status

VersionsAffectedUnaffected
Prisma Access Browser < 130.59.2920.7>= 130.117.2920.13

Severity: HIGH

CVSSv4.0 Base Score: 8.6 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:N/R:A/V:D/RE:L/U:Amber)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Solution

CVE-2024-9954, CVE-2024-9955, CVE-2024-9956, CVE-2024-9957, CVE-2024-9958, CVE-2024-9959, CVE-2024-9960, CVE-2024-9961, CVE-2024-9962, CVE-2024-9963, CVE-2024-9964, CVE-2024-9965, and CVE-2024-9966 are fixed in Prisma Access Browser 130.59.2920.7, and all later Prisma Access Browser versions.

CVE-2024-10229, CVE-2024-10230, and CVE-2024-10231 are fixed in Prisma Access Browser 130.70.2920.8, and all later Prisma Access Browser versions.

CVE-2024-10487 and CVE-2024-10488 are fixed in Prisma Access Browser 130.92.2920.10, and all later Prisma Access Browser versions.

CVE-2024-10826 and CVE-2024-10827 are fixed in Prisma Access Browser 130.117.2920.13, and all later Prisma Access Browser versions.

Timeline

Initial Publication
© 2024 Palo Alto Networks, Inc. All rights reserved.