SB2019121837 - Multiple vulnerabilities in Apple tvOS

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Use-after-free (CVE-ID: CVE-2019-8647)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

A use after free issue was addressed with improved memory management. This issue is fixed in iOS 12.4, tvOS 12.4, watchOS 5.3. A remote attacker may be able to cause arbitrary code execution.

2) Input validation error (CVE-ID: CVE-2019-8698)

The vulnerability allows a local non-authenticated attacker to perform service disruption.

A validation issue existed in the entitlement verification. This issue was addressed with improved validation of the process entitlement. This issue is fixed in iOS 12.4, tvOS 12.4. A malicious application may be able to restrict access to websites.

Remediation

Install update from vendor's website.

References

• https://support.apple.com/HT210346
• https://support.apple.com/HT210351
• https://support.apple.com/HT210353