- Revenera Community
- :
- InstallShield
- :
- InstallShield Forum
- :
- Re: CVEs found in the built .exe file related to ZLIB 1.2.3
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
CVEs found in the built .exe file related to ZLIB 1.2.3
I am wondering how to get rid of ZLIB 1.2.3. Does upgrading InstallShield to some later version helps.
Any suggestions are appreciated.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
@Yu_Wang Did you found the solution to this issue?
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
This issue has been resolved in InstallShield 2019 version. Please refer release notes from below link:
https://helpnet.flexerasoftware.com/installshield25helplib/rn/ReleaseNotes.htm
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
We are still using InstallShield 2014 and have no immdietate plan to upgrade to 2019 version. Is there any way to resolve this issue in 2014 version of InstallShield? Can we update zlib 1.2.3 to latest version in IntsallShield 2014?
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
No, InstallShield 2014 has already passed its end-of-life date. Please refer below link for more information.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Thanks @Varaprasad for the quick reply. I just confirmed with my team and we also have InstallShield 2016, and I can see from the link you shared that InstallShield 2016 has not reached the end-of-lifecycle.
Is there any solution available to resolve the issue that we are facing related to Zlib 1.2.3 vulnerability ? Can we upgrade the Zlib to a newer version in InstallShield 2016?
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
There is no solution currently available for 2016, however you can contact support@flexerasoftware.com and they should be able to help you on this further.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
I have seen reports like this before and I think there are few things going on here.
Firstly - it is correct that Installshield 2016 uses zlib 1.2.3
However the CVE vulnerabilities that your software has returned do not reference zlib 1.2.3.
CVE-2016-9841 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9841
"inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic."
CVE-2016-9843 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9843
"The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation."
CVE-2016-9840 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9840
"inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic."
CVE-2016-9842 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9842
"The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers."
You can see that all the CVE's reference 1.2.8 and not 1.2.3. It is likely that your software see's 1.2.3 as vulnerable as it is earlier than 1.2.8
There is however no confirmation or statement in the CVE's that the vulnerabilities exist in earlier versions.
We have seen a number of customers receive these confusing results from their security scanning software, and to that end our development team have updated the zlib version we use to 1.2.11
This was included in Installshield 2019 which is available now.
I hope this information helps.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Hi @shunt thanks for the quick reply. Along with the vulnerabilities listed above, our cyber-security software also reported some historical vulnerabilities which mentions the versions of Zlib 1.2 and later and 1.2.x in InstallShield 2016. Here's the list
CVE-2016-9841 | 2017/05/22 | 7.5 | 9.8 | Exact match |
CVE-2016-9843 | 2017/05/22 | 7.5 | 9.8 | Exact match |
CVE-2016-9840 | 2017/05/22 | 6.8 | 8.8 | Exact match |
CVE-2016-9842 | 2017/05/22 | 6.8 | 8.8 | Exact match |
CVE-2005-2096 | 2005/07/05 | 7.5 | 0.0 | Historical |
CVE-2005-1849 | 2005/07/25 | 5.0 | 0.0 | Historical |
CVE-2004-0797 | 2004/10/19 | 2.1 | 0.0 | Historical |
CVE-2003-0107 | 2003/03/06 | 7.5 | 0.0 | Historical |
CVE-2002-0059 | 2002/03/14 | 7.5 | 0.0 | Historical |
As I mentioned before we do not have any immediate plan to upgrade to InstallShield 2019. Is there a way to resolve this in our existing InstallShield version (2016).
Thanks,
Vishal
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Hi Vishal,
Thanks for the additional information -
Let me go through the additional 5 CVE's that you have reported and hopefully alleviate any concerns you have.
CVE-2005-2096:
https://nvd.nist.gov/vuln/detail/CVE-2005-2096
This states "zlib 1.2 and later" - this is a rather vague statement and it doesn't actually mean zlib 1.2 and every single version created after it. It is only referencing the later versions which existed at the time the article was written.
Towards the bottom of the article we can see "Known Affected Software Configurations" - this lists the versions known to be affected which are 1.2.0, 1.2.1 and 1.2.2
There is no reference to 1.2.3
I have double checked in Flexera's own open source software manager (FlexNet Code Insight) and can confirm that this also does not report this CVE issue in 1.2.3
CVE-2005-1849
https://nvd.nist.gov/vuln/detail/CVE-2005-1849
This article only references zlib 1.2.2
CVE-2004-0797
https://nvd.nist.gov/vuln/detail/CVE-2004-0797
The description in this article states "zlib 1.2.x" - again if we look at the bottom of the article we can see the "Known Affected Software Configurations" are actually sub versions of zlib 1.2.1.x
CVE-2003-0107
https://nvd.nist.gov/vuln/detail/CVE-2003-0107
This references zlib 1.1.4 and not 1.2.3
CVE-2002-0059
https://nvd.nist.gov/vuln/detail/CVE-2002-0059
This references zlib 1.1.3 and earlier and not 1.2.3
I hope this helps,
Stuart