Summary & Key Actions Required
We have completed our analysis of CVE-2023-49093 which we became aware of on December 5th 2023 and currently has a base CVSS score of 9.8 and impacts the software component htmlunit. We will update this article if any more information becomes available and will highlight if our recommendations or plans change.
The current recommendation is for customers to upgrade to Avantra 24.0.2 and above to mitigate the risk associated with this CVE. The risk is highest for customers using custom and built-in checks to interact with untrusted and 3rd party web endpoints.
For customers still on Avantra 23, Avantra agent 23.3.6 is available and is an agent-only release to mitigate this issue.
Related security articles:
- https://nvd.nist.gov/vuln/detail/CVE-2023-49093
- https://security.snyk.io/vuln/SNYK-JAVA-ORGHTMLUNIT-6097266
- Avantra Hardening Guide
CVE-2023-49093 Summary
Please see this article for more information:
Impact to Avantra
We have completed our investigations and analysis around this CVE.
We can confirm that Avantra used org.htmlunit:htmlunit version 3.7.0 in Avantra versions 24.0.1 and below which is below the patched version recommended in the advisory of 3.9.0.
From Avantra 24.0.2 and above, the component has been patched to version 3.9.0 and this is available as of Friday December 8th for both the Server and Agent. For customers still on Avantra 23, Avantra agent 23.3.6 is available and is an agent-only release to mitigate this issue.
Impact on our customers
We recommend customers upgrade to Avantra 24.0.2 to mitigate the risk associated with this CVE. For customers still on Avantra 23, Avantra agent 23.3.6 is available and is an agent-only release to mitigate this issue.
This component is utilized when Avantra makes outbound calls to web endpoints as part of custom and built-in checks from the agent. If you are contacting 3rd party or untrusted websites then we recommend upgrading as soon as possible to prevent any malicious web endpoints that you have chosen to cause issues with your agent.
Change Log
| 15th Dec 2023 08:00 CET | Notice updated to include information about fix availability for Avantra 23 systems (23.3.6 agent-only release). |
| 11th Dec 2023 11:00 CET | Notice updated to include information about the fix applied in Avantra 24.0.2 and above. |
| 5th Dec 2023 16:30 CET | Initial Notice Published |
We, at Avantra, take the security of our software and our customers very seriously and it is our top priority. We will keep you up to date as more information becomes available and encourage customers to subscribe to the security section of our forum to get proactive updates as we post them.