Chromium Embedded Framework Forum

[Adriaanse]

Hearing in the news about the recent zero-day CVE-2022-1096 exploit in chromium, we are wondering how large a risk this is to users of JCEF ?

Since CVE-2022-1096 was published I can see 4 commits in the cef repository updating to a more recent chromium version have been committed, so I assume this is a work in progress and a jcef update may follow but there is no mention anywhere in the cef/jcef forums so I hope you don't mind me asking, is there a JCEF update upcoming to fix CVE-2022-1096 ?

some info from avertium.com :

On March 23, 2022, Google was alerted about a dangerous zero-day vulnerability found in all Chromium based browsers. An anonymous sender discovered the vulnerability, which is being tracked as CVE-2022-1096. The bug is a type confusion vulnerability and is currently being exploited by threat actors in the wild – making all Chromium based browsers vulnerable to attacks. The browsers included are: Microsoft’s Edge, Amazon Silk, Brave, Opera, Samsung Internet, Vivaldi, and Yandex.

CVE-2022-1096 affects 2 billion users and the threat level is rated “high” by Google. The vulnerability is a type confusion weakness located in the Chrome V8 JavaScript and WebAssembly engine. This flaw allows threat actors to execute arbitrary code on victim devices and allows the threat actor to trick Chrome into running malicious code. V8 is a component within Chrome that processes JavaScript, which is the engine that’s at the heart of Chrome.

[magreenblatt]

how large a risk this is to users of JCEF ?

You could be at risk if you are loading untrusted content from the internet.

is there a JCEF update upcoming to fix CVE-2022-1096 ?

Updates are contributed by volunteers. I'm not aware of any update in progress at the moment.

[Adriaanse]

Thank you for the fast response.

Would you know if there are instructions for doing this ? I know how to build JCEF for linux and windows, but have not looked for a way to get a newer CEF version in the process and fix what may need to be fixed...

[magreenblatt]

There are no detailed instructions, but you can look at some of the recent "Update to CEF version..." PRs to get an idea of how it works: https://bitbucket.org/chromiumembedded/ ... f/commits/

[magreenblatt]

JCEF has been updated to 100.0.14+g4e5ba66+chromium-100.0.4896.75.

[Adriaanse]

That is good news, I will review the commit to see what was required and can proceed with updating our application, Thank you !

[FriwiDev]

I updated jcefmaven to the fixed version to also solve the issue for maven-based projects