About the security content of macOS Catalina 10.15.2, Security Update 2019-002 Mojave, Security Update 2019-007 High Sierra
This document describes the security content of macOS Catalina 10.15.2, Security Update 2019-002 Mojave and Security Update 2019-007 High Sierra.
About Apple security updates
For our customers’ protection, Apple doesn’t disclose, discuss or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.
Apple security documents reference vulnerabilities by CVE-ID when possible.
For more information about security, see the Apple Product Security page.
macOS Catalina 10.15.2, Security Update 2019-002 Mojave, Security Update 2019-007 High Sierra
ATS
Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15
Impact: a malicious application may be able to access restricted files
Description: A logic issue was addressed with improved restrictions.
CVE-2019-8837: Csaba Fitzl (@theevilbit)
Bluetooth
Available for: macOS Catalina 10.15
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input sanitisation.
CVE-2019-8853: Jianjun Dai of Qihoo 360 Alpha Lab
CallKit
Available for: macOS Catalina 10.15
Impact: Calls made using Siri may be initiated using the wrong cellular plan on devices with two active plans
Description: An API issue existed in the handling of outgoing phone calls initiated with Siri. This issue was addressed with improved state handling.
CVE-2019-8856: Fabrice TERRANCLE of TERRANCLE SARL
CFNetwork Proxies
Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15
Impact: An application may be able to gain elevated privileges
Description: This issue was addressed with improved checks.
CVE-2019-8848: Zhuo Liang of Qihoo 360 Vulcan Team
CFNetwork
Available for: macOS Catalina 10.15
Impact: An attacker in a privileged network position may be able to bypass HSTS for a limited number of specific top-level domains not in the HSTS preload list previously
Description: A configuration issue was addressed with additional restrictions.
CVE-2019-8834: Rob Sayre (@sayrer)
CUPS
Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15
Impact: In certain configurations, a remote attacker may be able to submit arbitrary print jobs
Description: A buffer overflow was addressed with improved bounds checking.
CVE-2019-8842: Niky1235 of China Mobile
CUPS
Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15
Impact: An attacker in a privileged position may be able to perform a denial-of-service attack
Description: A buffer overflow was addressed with improved bounds checking.
CVE-2019-8839: Stephan Zeisberg of Security Research Labs
FaceTime
Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15
Impact: Processing malicious video via FaceTime may lead to arbitrary code execution
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2019-8830: natashenka of Google Project Zero
IOGraphics
Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15
Impact: A Mac may not lock immediately upon wake
Description: A logic issue was addressed with improved state management.
CVE-2019-8851: Vladik Khononov of DoiT International
Kernel
Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed by removing the vulnerable code.
CVE-2019-8833: Ian Beer of Google Project Zero
Kernel
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2019-8828: Cim Stordal of Cognite
CVE-2019-8838: Dr Silvio Cesare of InfoSect
CVE-2019-8847: Apple
CVE-2019-8852: pattern-f (@pattern_F_) of WaCai
libexpat
Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15
Impact: Parsing a maliciously crafted XML file may lead to disclosure of user information
Description: This issue was addressed by updating to expat version 2.2.8.
CVE-2019-15903: Joonun Jang
Notes
Available for: macOS Catalina 10.15
Impact: A remote attacker may be able to overwrite existing files
Description: a parsing issue in the handling of directory paths was addressed with improved path validation.
CVE-2020-9782: Allison Husain of UC Berkeley
OpenLDAP
Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15
Impact: Multiple issues in OpenLDAP
Description: Multiple issues were addressed by updating to OpenLDAP version 2.4.28.
CVE-2012-1164
CVE-2012-2668
CVE-2013-4449
CVE-2015-1545
CVE-2019-13057
CVE-2019-13565
Security
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2019-8832: Insu Yun of SSLab at Georgia Tech
tcpdump
Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15
Impact: Multiple issues in tcpdump
Description: Multiple issues were addressed by updating to tcpdump version 4.9.3 and libpcap version 1.9.1
CVE-2017-16808
CVE-2018-10103
CVE-2018-10105
CVE-2018-14461
CVE-2018-14462
CVE-2018-14463
CVE-2018-14464
CVE-2018-14465
CVE-2018-14466
CVE-2018-14467
CVE-2018-14468
CVE-2018-14469
CVE-2018-14470
CVE-2018-14879
CVE-2018-14880
CVE-2018-14881
CVE-2018-14882
CVE-2018-16227
CVE-2018-16228
CVE-2018-16229
CVE-2018-16230
CVE-2018-16300
CVE-2018-16301
CVE-2018-16451
CVE-2018-16452
CVE-2019-15166
CVE-2019-15167
Wi-Fi
Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6
Impact: An attacker in Wi-Fi range may be able to view a small amount of network traffic
Description: A logic issue existed in the handling of state transitions. This was addressed with improved state management.
CVE-2019-15126: Milos Cermak at ESET
Additional recognition
Accounts
We would like to acknowledge Allison Husain of UC Berkeley, Kishan Bagaria (KishanBagaria.com), Tom Snelling of Loughborough University for their assistance.
Core Data
We would like to acknowledge natashenka of Google Project Zero for their assistance.
Finder
We would like to acknowledge Csaba Fitzl (@theevilbit) for their assistance.
Kernel
We would like to acknowledge Daniel Roethlisberger of Swisscom CSIRT for their assistance.
Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.