ArcGIS Survey123 apps susceptibility to CVE-2023-4863

Description

Prior to the ArcGIS Survey123 field app version 3.24.21 and Survey123 Connect version 3.24.30, these apps were susceptible to CVE-2023-4863 — a critical heap buffer overflow vulnerability in libwebp that could allow remote attackers to execute arbitrary code via crafted HTML content.

Note:
This article only applies to Survey123 apps installed on Windows OS.

Cause

ArcGIS Survey123 Connect and the field app included a vulnerable qwebp.dll file in the installation folder, which is not removed when uninstalling the app.

Solution or Workaround

Esri recommends all users of these ArcGIS Survey123 apps remove the vulnerable file by completing one of the following steps for each app:

Survey123 Connect:

• Upgrade Survey123 Connect to version 3.24.30 or later.
• If upgrading is not an option, delete the vulnerable qwebp.dll file from the app's installation folder: 
  C:\Users\<username>\Applications\ArcGIS\Survey123Connect\plugins\imageformats\qwebp.dll
• If you've uninstalled the app, delete the entire app folder:
  C:\Users\<username>\Applications\ArcGIS\Survey123Connect

Survey123 field app:

• Upgrade the Survey123 field app to version 3.24.21 or later.
• If upgrading is not an option, delete the vulnerable qwebp.dll file from the app's installation folder: 
  C:\Users\<username>\Applications\ArcGIS\Survey123\plugins\imageformats\qwebp.dll
• If you've uninstalled the app, delete the entire app folder:
  C:\Users\<username>\Applications\ArcGIS\Survey123

For anyone installing these apps for the first time, Survey123 Connect version 3.24.30 and the field app version 3.24.21 include a fix for this issue, and the vulnerable file is no longer included in the installation.