About the security content of macOS Catalina 10.15.2, Security Update 2019-002 Mojave, Security Update 2019-007 High Sierra

This document describes the security content of macOS Catalina 10.15.2, Security Update 2019-002 Mojave and Security Update 2019-007 High Sierra.

About Apple security updates

For our customers’ protection, Apple doesn’t disclose, discuss or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

macOS Catalina 10.15.2, Security Update 2019-002 Mojave, Security Update 2019-007 High Sierra

Released 10 December 2019

ATS

Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15

Impact: a malicious application may be able to access restricted files

Description: A logic issue was addressed with improved restrictions.

CVE-2019-8837: Csaba Fitzl (@theevilbit)

Entry updated 18 December 2019

Bluetooth

Available for: macOS Catalina 10.15

Impact: An application may be able to read restricted memory

Description: A validation issue was addressed with improved input sanitisation.

CVE-2019-8853: Jianjun Dai of Qihoo 360 Alpha Lab

CallKit

Available for: macOS Catalina 10.15

Impact: Calls made using Siri may be initiated using the wrong cellular plan on devices with two active plans

Description: An API issue existed in the handling of outgoing phone calls initiated with Siri. This issue was addressed with improved state handling.

CVE-2019-8856: Fabrice TERRANCLE of TERRANCLE SARL

CFNetwork Proxies

Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15

Impact: An application may be able to gain elevated privileges

Description: This issue was addressed with improved checks.

CVE-2019-8848: Zhuo Liang of Qihoo 360 Vulcan Team

Entry updated 18 December 2019

CFNetwork

Available for: macOS Catalina 10.15

Impact: An attacker in a privileged network position may be able to bypass HSTS for a limited number of specific top-level domains not in the HSTS preload list previously

Description: A configuration issue was addressed with additional restrictions.

CVE-2019-8834: Rob Sayre (@sayrer)

Entry added 3 February 2020

CUPS

Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15

Impact: In certain configurations, a remote attacker may be able to submit arbitrary print jobs

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2019-8842: Niky1235 of China Mobile

Entry updated 18 December 2019

CUPS

Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15

Impact: An attacker in a privileged position may be able to perform a denial-of-service attack

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2019-8839: Stephan Zeisberg of Security Research Labs

Entry updated 18 December 2019

FaceTime

Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15

Impact: Processing malicious video via FaceTime may lead to arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2019-8830: natashenka of Google Project Zero

Entry updated 18 December 2019

IOGraphics

Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15

Impact: A Mac may not lock immediately upon wake

Description: A logic issue was addressed with improved state management.

CVE-2019-8851: Vladik Khononov of DoiT International

Entry added 3 February 2020

Kernel

Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed by removing the vulnerable code.

CVE-2019-8833: Ian Beer of Google Project Zero

Entry updated 18 December 2019

Kernel

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2019-8828: Cim Stordal of Cognite

CVE-2019-8838: Dr Silvio Cesare of InfoSect

CVE-2019-8847: Apple

CVE-2019-8852: pattern-f (@pattern_F_) of WaCai

libexpat

Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15

Impact: Parsing a maliciously crafted XML file may lead to disclosure of user information

Description: This issue was addressed by updating to expat version 2.2.8.

CVE-2019-15903: Joonun Jang

Entry updated 18 December 2019

Notes

Available for: macOS Catalina 10.15

Impact: A remote attacker may be able to overwrite existing files

Description: a parsing issue in the handling of directory paths was addressed with improved path validation.

CVE-2020-9782: Allison Husain of UC Berkeley

Entry added 4 April 2020

OpenLDAP

Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15

Impact: Multiple issues in OpenLDAP

Description: Multiple issues were addressed by updating to OpenLDAP version 2.4.28.

CVE-2012-1164

CVE-2012-2668

CVE-2013-4449

CVE-2015-1545

CVE-2019-13057

CVE-2019-13565

Entry updated 3 February 2020

Security

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15

Impact: An application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2019-8832: Insu Yun of SSLab at Georgia Tech

tcpdump

Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15

Impact: Multiple issues in tcpdump

Description: Multiple issues were addressed by updating to tcpdump version 4.9.3 and libpcap version 1.9.1

CVE-2017-16808

CVE-2018-10103

CVE-2018-10105

CVE-2018-14461

CVE-2018-14462

CVE-2018-14463

CVE-2018-14464

CVE-2018-14465

CVE-2018-14466

CVE-2018-14467

CVE-2018-14468

CVE-2018-14469

CVE-2018-14470

CVE-2018-14879

CVE-2018-14880

CVE-2018-14881

CVE-2018-14882

CVE-2018-16227

CVE-2018-16228

CVE-2018-16229

CVE-2018-16230

CVE-2018-16300

CVE-2018-16301

CVE-2018-16451

CVE-2018-16452

CVE-2019-15166

CVE-2019-15167

Entry updated 11 February 2020

Wi-Fi

Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6

Impact: An attacker in Wi-Fi range may be able to view a small amount of network traffic

Description: A logic issue existed in the handling of state transitions. This was addressed with improved state management.

CVE-2019-15126: Milos Cermak at ESET

Entry added 27 February 2020

Additional recognition

Accounts

We would like to acknowledge Allison Husain of UC Berkeley, Kishan Bagaria (KishanBagaria.com), Tom Snelling of Loughborough University for their assistance.

Entry updated 4 April 2020

Core Data

We would like to acknowledge natashenka of Google Project Zero for their assistance.

Finder

We would like to acknowledge Csaba Fitzl (@theevilbit) for their assistance.

Entry added Wednesday, 18 December 2019

Kernel

We would like to acknowledge Daniel Roethlisberger of Swisscom CSIRT for their assistance.

Entry added 18 December 2019

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: