PSA: Security vulnerability in WebRTC

810 views
Skip to first unread message

hu...@webrtc.org

unread,
May 4, 2017, 3:31:57 PM5/4/17
to discuss-webrtc
A security vulnerability has been addressed in WebRTC. We recommend all WebRTC based applications to update to the latest version.

[679306] High CVE-2017-5068: Race condition in WebRTC. Credit to Philipp Hancke
We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel. The vulnerability has been addressed in Chrome Stable 58.0.3029.96

Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed. Affected third parties can reply privately for detailed information about the issue.

Regards,
Huib Kleinhout
Product Manager WebRTC

Ajay Choudary

unread,
May 5, 2017, 1:55:13 PM5/5/17
to discuss-webrtc
Many people are still using old versions of CEF/Electron and chrome is also stopped updates for old operating systems.
So  just wanted to know, from which version of chrome got effected with this vulnerability?

Is the issue specific to chrome or any app using webrtc source Opera/native apps?

hu...@webrtc.org

unread,
May 5, 2017, 6:05:18 PM5/5/17
to discuss-webrtc
The issue was found in a core part of WebRTC and affects most applications using WebRTC, including Chrome and native apps using the C++, Java, Objective-C api's.
Apps using a version of WebRTC older than a few months are not vulnerable.

Don't hesitate to reply privately if you need to know more precise information.

Regards,
Huib

Andy Lee

unread,
May 8, 2017, 2:41:49 AM5/8/17
to discuss-webrtc
Can you be more specific on the following statement?


Apps using a version of WebRTC older than a few months are not vulnerable.


Andy

hu...@webrtc.org

unread,
May 8, 2017, 6:04:18 AM5/8/17
to discuss-webrtc
Hi,

To prevent potential misuse of the vulnerability before webrtc-based applications have updated, further details are only shared with those who are maintaining such applications.
Please reply privately if you are in this position and provide some information about the product and your role in it.

Huib
Reply all
Reply to author
Forward
0 new messages