ZAC
WebZAC – depends on the web browser used
MX Mobile for iPhone – depends on operating system
Zultys Mobile for Android – depends on operating system

ZAC – up to and including version 8.4.32
WebZAC – vulnerability depends on the web browser used
MX Mobile (iOS) – vulnerability depends on the underlying iOS operating system
Zultys Mobile for Android – vulnerability depends on the underlying Android operating system

A significant vulnerability in the Webp image processing library has been reported by Google (CVE-2023-4863).

The related ‘libwebp’ software is a third-party library used in many software applications including the ZAC client, web browsers such as Google Chrome, Mozilla Firefox and Microsoft Edge, Apple iOS and Android operating systems.

ZAC – Zultys has released an updated version of ZAC (8.4.33) which includes an updated libwebp version that resolves the vulnerability reported in CVE-2023-4863. For optimal security, Zultys recommends customers upgrade to the latest ZAC version. The latest ZAC version may be downloaded from https://www.zultys.com/zac or the KBS (https://kbs.zultys.com).

WebZAC – Exposure to vulnerability is dependent on the underlying web browser being used. Update web browser to a version containing a fix for CVE-2023-4863, refer to your web browser vendor for additional information.

MX Mobile for iPhone – Exposure to vulnerability is dependent on the underlying Apple operating system. Update iPhone to a version containing a fix for CVE-2023-4863, refer to phone vendor for additional information.

For ZAC, the softphone in version 8.0.x and later is compatible with MX Release 16.0.4 and later (Release 16.0.4 requires a patch incorporating improvement MX-5313). Customers upgrading from a ZAC version prior to 8.0.x to 8.4.33 that utilize the softphone, must ensure the MX system is running version 16.0.4 or later and the networking requirements detailed in the ZAC 8.4 User Manual are met.

Mitigation/Workaround