- Revenera Community
- :
- InstallShield
- :
- InstallShield Forum
- :
- Re: CVE-2022-37434 in MSI build with InstallShield 2022 R1
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
We are building our setup with InstallShield 2022 R1 Standalone Build.
BDBA scan of the generated MSI file reports CVE-2022-37434 for zlib 1.2.12 in the following files:
- Binary.ISPrereqLauncher
- Binary.ISSetup.dll
Is there a workaround to mitigate the CVE?
When does Revenera plan to migrate to latest zlib version?
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Installshield 2022 R2 includes zlib 1.2.13
Hope this helps,
Stuart
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
This CVE reports that only apps that call zlib's 'inflateGetHeader' method are affected.
Neither InstallShield nor other third party components used in InstallShield are calling this method and therefore Installshield is not affected by this vulnerability.
I hope this helps.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Thanks for the information, which is fine to remediate the CVE for the cyber security report of our next release.
Could you anyway share some insights on the roadmap to migrate InstallShield to new zlib version?
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Any update on the InstallShield roadmap for migration to latest zlib libary?
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Installshield 2022 R2 includes zlib 1.2.13
Hope this helps,
Stuart
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Hello @shunt , On the similar lines, BDBA scan report of MSI built with IS2023R1 shows that zlib is detected for Binary.ISPrereqLauncher (Zlib 1.2.13), Binary.ISSetup.dll(no version) and Setup.exe (no version).
Would you let know the version of zlib used in Installshield 2023 R1 ? It would also be helpful if you could point to 'Non-Commercial Software Disclosures Form' if available for Installshield software.