I am trying to verify specifically which versions of Firefox are vulnerable to CVE-2024-8387.
I know that typically mozilla does not put a low bound on advisories, and https://www.mozilla.org/en-US/security/advisories/mfsa2024-40/ is the advisory for vulnerabilities fixed in ESR 128.2. CVE-2024-8387 is listed here. yet the advisory for 115, https://www.mozilla.org/en-US/security/advisories/mfsa2024-41/ does not list this vulnerability. Was this something that was only impacting 128 (for the ESR builds) or is there a mistake that either 115.15 did patch it but it wasn't documented, or the patch has been missed and ESR 115 is still vulnerable?
Ọ̀nà àbáyọ tí a yàn
That CVE is a rollup of 3 separate bugs.
2 of them don't affect the 115 ESR.
1 of them did, but the issue itself was not as concerning and it had a lot of moving parts that would have been difficult to uplift.
Because the 115 ESR is out of support in the enterprise space, we chose not to fix that one issue in the ESR.
Ka ìdáhùn ni ìṣètò kíkà 👍 2All Replies (11)
The Firefox 115.15.0esr is vulnerable yes however there has been Fx 115.16.0esr and Fx 115.16.1esr updates since Fx 115.15.0esr. There has also been Fx 128.3.0esr and Fx 128.3.1esr updates since the Fx 128.2.0esr you mentioned.
The older Firefox 115 ESR channel is planned to have updates till Fx 115.21.0esr in March 2025, though in early 2025 a decision will be made on whether to extend or not.
Fx 115.16.0esr: https://www.mozilla.org/security/advisories/mfsa2024-48/ Fx 115.16.1esr: https://www.mozilla.org/security/advisories/mfsa2024-51/ Fx 128.3.0esr: https://www.mozilla.org/security/advisories/mfsa2024-47/ Fx128.3.1esr: https://www.mozilla.org/security/advisories/mfsa2024-51/
https://www.mozilla.org/security/known-vulnerabilities/firefox-esr/ Firefox Release Notes: https://www.mozilla.org/firefox/releases/
The CVE-2024-8387 may have been a vulnerability found in later versions after Firefox 115.0 as to why it is not listed for any Firefox 115 ESR version. The Firefox 115.0 ESR is based on the Firefox 115.0 Release but with security/stability fixes since.
Ti ṣàtúnṣe
I appreciate the report that CVE-2024-8387 has been patched, but I cannot find it expicitly mentioned in any of the patches for 115 ESR. What w need to know is, was 115.15 or earlier vulnerable (or to your point, was the functionality that was vulnerable made in a product update that was not changed until after the 115 ESR branch was split off).
Neither 115.16, 115.16.1 or any other advisories mention it. We cant assume it is or is not vulnerable as the NVD pages indicates all versions below 128.2, which implies that the only way to resolve it is to go to 128.2 ESR or higher.
See also:
Ti ṣàtúnṣe
Even the NVD site https://nvd.nist.gov/vuln/detail/CVE-2024-8387 can be seen as somewhat contradictory. the beginning of the description indicates only that "Memory safety bugs present in Firefox 129, Firefox ESR 128.1, and Thunderbird 128.1. " but then the last sentence indicates "This vulnerability affects Firefox < 130, Firefox ESR < 128.2, and Thunderbird < 128.2." with no lower bound. Does this mean that there is no ower bound, or is the initial text accurate , that the vulnerability is only with Firefox 129, Firefox ESR 128.1, and Thunderbird 128.1? I am not trying to be difficult, just that I still haven't seen anything that puts a lower bound on the vulnerability. or whether the 115 ESR branch is impacted andd was then patched (as mentioned, none of the releases fr 115 ESR mention the vuln, but unclear if thats an oversight in not patching it, not documenting the patch is available, or that it was never vulnerable)
Any further insight from the Mozilla team?
It may seem like I am being stubborn in looking for clarification, but its really not clear just which versions of ESR are vulnerable, and whether all have been patched. It is very clear that 128.1 ESR was patched with 128.2, but unclear whether 115 ESR was vulnerable at some version, and if so, if any patches in ESR 115 resolve it, or if it requires the jump to ESR 128.2 or above, which seems contradictory to the ESR branch purpose.
I would assume that this is about code that landed in Firefox 129 and thus affected 128.1.0 ESR (released along with 129) and 128.2.0 and 130.0 have the fix (i.e. Firefox ESR meaning the current 128 ESR branch and not the earlier 115 ESR branch).
- Memory safety bugs present in Firefox 129, Firefox ESR 128.1
That may be (and seems likely), but as Mozilla typically does not reference if vulnerabilities are in earlier versions of product, or make clear that this does NOT apply to ESR 115 due to it being caused by code changes in FireFox 129, how do we validate it truly did not impact ESR 115?
Ti ṣàtúnṣe
Please understand I still need clear answer on whether this was strictly something that was introduced in 129 / 128.1.0 ESR, or was actually from earlier code impacting 115 ESR.
Hey Keith, I didn't forget about you. I was trying to contact someone higher up who would know exactly. As it gets tricky for us regular folks to figure out which security exploits affect ESR builds.
You just reminded me that Mike Kaply may know this answer or be able to reach the right security engineer to get a clear answer.
I appreciate the continued investigation. If I could get directly to the security engineers I would be happy to chase it down there, but for end users and security teams where products are deployed, its important to know where the risk originates, and unfortunately, advisories often just aren't explicit enough.
Ọ̀nà àbáyọ Tí a Yàn
That CVE is a rollup of 3 separate bugs.
2 of them don't affect the 115 ESR.
1 of them did, but the issue itself was not as concerning and it had a lot of moving parts that would have been difficult to uplift.
Because the 115 ESR is out of support in the enterprise space, we chose not to fix that one issue in the ESR.