- Revenera Community
- InstallShield Forum
- Re: CVEs found in the built .exe file related to ZLIB 1.2.3
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
CVEs found in the built .exe file related to ZLIB 1.2.3
I am wondering how to get rid of ZLIB 1.2.3. Does upgrading InstallShield to some later version helps.
Any suggestions are appreciated.
This issue has been resolved in InstallShield 2019 version. Please refer release notes from below link:
We are still using InstallShield 2014 and have no immdietate plan to upgrade to 2019 version. Is there any way to resolve this issue in 2014 version of InstallShield? Can we update zlib 1.2.3 to latest version in IntsallShield 2014?
No, InstallShield 2014 has already passed its end-of-life date. Please refer below link for more information.
Thanks @Varaprasad for the quick reply. I just confirmed with my team and we also have InstallShield 2016, and I can see from the link you shared that InstallShield 2016 has not reached the end-of-lifecycle.
Is there any solution available to resolve the issue that we are facing related to Zlib 1.2.3 vulnerability ? Can we upgrade the Zlib to a newer version in InstallShield 2016?
There is no solution currently available for 2016, however you can contact email@example.com and they should be able to help you on this further.
I have seen reports like this before and I think there are few things going on here.
Firstly - it is correct that Installshield 2016 uses zlib 1.2.3
However the CVE vulnerabilities that your software has returned do not reference zlib 1.2.3.
CVE-2016-9841 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9841
"inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic."
CVE-2016-9843 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9843
"The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation."
CVE-2016-9840 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9840
"inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic."
CVE-2016-9842 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9842
"The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers."
You can see that all the CVE's reference 1.2.8 and not 1.2.3. It is likely that your software see's 1.2.3 as vulnerable as it is earlier than 1.2.8
There is however no confirmation or statement in the CVE's that the vulnerabilities exist in earlier versions.
We have seen a number of customers receive these confusing results from their security scanning software, and to that end our development team have updated the zlib version we use to 1.2.11
This was included in Installshield 2019 which is available now.
I hope this information helps.
Hi @shunt thanks for the quick reply. Along with the vulnerabilities listed above, our cyber-security software also reported some historical vulnerabilities which mentions the versions of Zlib 1.2 and later and 1.2.x in InstallShield 2016. Here's the list
As I mentioned before we do not have any immediate plan to upgrade to InstallShield 2019. Is there a way to resolve this in our existing InstallShield version (2016).
Thanks for the additional information -
Let me go through the additional 5 CVE's that you have reported and hopefully alleviate any concerns you have.
This states "zlib 1.2 and later" - this is a rather vague statement and it doesn't actually mean zlib 1.2 and every single version created after it. It is only referencing the later versions which existed at the time the article was written.
Towards the bottom of the article we can see "Known Affected Software Configurations" - this lists the versions known to be affected which are 1.2.0, 1.2.1 and 1.2.2
There is no reference to 1.2.3
I have double checked in Flexera's own open source software manager (FlexNet Code Insight) and can confirm that this also does not report this CVE issue in 1.2.3
This article only references zlib 1.2.2
The description in this article states "zlib 1.2.x" - again if we look at the bottom of the article we can see the "Known Affected Software Configurations" are actually sub versions of zlib 1.2.1.x
This references zlib 1.1.4 and not 1.2.3
This references zlib 1.1.3 and earlier and not 1.2.3
I hope this helps,