Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

     MFSA 2022-41 Security Vulnerabilities fixed in Firefox ESR 102.3
                             21 September 2022


        AusCERT Security Bulletin Summary

Product:           Mozilla Firefox ESR
Publisher:         Mozilla
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-40962 CVE-2022-40960 CVE-2022-40959
                   CVE-2022-40958 CVE-2022-40957 CVE-2022-40956

Original Bulletin: 

Comment: CVSS (Max):  None available when published

- --------------------------BEGIN INCLUDED TEXT--------------------

Mozilla Foundation Security Advisory 2022-41

Security Vulnerabilities fixed in Firefox ESR 102.3

Announced: September 20, 2022
Impact:    high
Products:  Firefox ESR
Fixed in:  Firefox ESR 102.3

# CVE-2022-40959: Bypassing FeaturePolicy restrictions on transient pages

Reporter: Armin Ebert
Impact:   high


During iframe navigation, certain pages did not have their FeaturePolicy fully
initialized leading to a bypass that leaked device permissions into untrusted


  o Bug 1782211

# CVE-2022-40960: Data-race when parsing non-UTF-8 URLs in threads

Reporter: Armin Ebert
Impact:   high


Concurrent use of the URL parser with non-UTF-8 data was not thread-safe. This
could lead to a use-after-free causing a potentially exploitable crash.


  o Bug 1787633

# CVE-2022-40958: Bypassing Secure Context restriction for cookies with __Host
and __Secure prefix

Reporter: Axel Chong (@Haxatron)
Impact:   moderate


By injecting a cookie with certain special characters, an attacker on a shared
subdomain which is not a secure context could set and thus overwrite cookies
from a secure context, leading to session fixation and other attacks.


  o Bug 1779993

# CVE-2022-40956: Content-Security-Policy base-uri bypass

Reporter: Satoki Tsuji
Impact:   low


When injecting an HTML base element, some requests would ignore the CSP's
base-uri settings and accept the injected element's base instead.


  o Bug 1770094

# CVE-2022-40957: Incoherent instruction cache when building WASM on ARM64

Reporter: Gary Kwong
Impact:   low


Inconsistent data in instruction and data cache when creating wasm code could
lead to a potentially exploitable crash.
This bug only affects Firefox on ARM64 platforms.


  o Bug 1777604

# CVE-2022-40962: Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3

Reporter: Mozilla developers and community
Impact:   high


Mozilla developers Nika Layzell, Timothy Nikkel, Jeff Muizelaar, Sebastian
Hengst, Andreas Pehrson, and the Mozilla Fuzzing Team reported memory safety
bugs present in Firefox 104 and Firefox ESR 102.2. Some of these bugs showed
evidence of memory corruption and we presume that with enough effort some of
these could have been exploited to run arbitrary code.


  o Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: https://auscert.org.au/gpg-key/