cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Yu_Wang
Pilgrim

CVEs found in the built .exe file related to ZLIB 1.2.3

We are using InstallShield 2014 and its command line to build a basic MSI project. A binary scan tool (i.e., Protecode) reports the built .exe (alongside with the built .msi) file contains ZLIB 1.2.3 which has 4 CVEs: CVE-2016-9841, CVE-2016-9843, CVE-2016-9840 & CVE-2016-9842.

I am wondering how to get rid of ZLIB 1.2.3. Does upgrading InstallShield to some later version helps.

Any suggestions are appreciated.
Labels (1)
9 Replies
vishalbhatt
Flexera beginner

Re: CVEs found in the built .exe file related to ZLIB 1.2.3

@Yu_Wang  Did you found the solution to this issue? 

0 Kudos
Flexera Varaprasad
Flexera

Re: CVEs found in the built .exe file related to ZLIB 1.2.3


This issue has been resolved in InstallShield 2019 version. Please refer release notes from below link:

https://helpnet.flexerasoftware.com/installshield25helplib/rn/ReleaseNotes.htm

0 Kudos
vishalbhatt
Flexera beginner

Re: CVEs found in the built .exe file related to ZLIB 1.2.3

We are still using InstallShield 2014 and have no immdietate plan to upgrade to 2019 version. Is there any way to resolve this issue in 2014 version of InstallShield? Can we update zlib 1.2.3 to latest version in IntsallShield 2014?

0 Kudos
Flexera Varaprasad
Flexera

Re: CVEs found in the built .exe file related to ZLIB 1.2.3

No, InstallShield 2014 has already passed its end-of-life date. Please refer below link for more information.

https://helpnet.flexerasoftware.com/eol/installshield.htm

0 Kudos
vishalbhatt
Flexera beginner

Re: CVEs found in the built .exe file related to ZLIB 1.2.3

Thanks @Varaprasad  for the quick reply.  I just confirmed with my team and we also have InstallShield 2016, and I can see from the link you shared that InstallShield 2016 has not reached the end-of-lifecycle. 

Is there any solution available to resolve the issue that we are facing related to Zlib 1.2.3 vulnerability ? Can we upgrade the Zlib to a newer version in InstallShield 2016? 

0 Kudos
Flexera Varaprasad
Flexera

Re: CVEs found in the built .exe file related to ZLIB 1.2.3

There is no solution currently available for 2016, however you can contact support@flexerasoftware.com and they should be able to help you on this further.

0 Kudos
Flexera shunt
Flexera

Re: CVEs found in the built .exe file related to ZLIB 1.2.3

I have seen reports like this before and I think there are few things going on here. 
Firstly - it is correct that Installshield 2016 uses zlib 1.2.3 

However the CVE vulnerabilities that your software has returned do not reference zlib 1.2.3. 

CVE-2016-9841 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9841 
"inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic." 

CVE-2016-9843 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9843 
"The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation." 

CVE-2016-9840 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9840 
"inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic." 

CVE-2016-9842 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9842 
"The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers." 

You can see that all the CVE's reference 1.2.8 and not 1.2.3. It is likely that your software see's 1.2.3 as vulnerable as it is earlier than 1.2.8 
There is however no confirmation or statement in the CVE's that the vulnerabilities exist in earlier versions. 

We have seen a number of customers receive these confusing results from their security scanning software, and to that end our development team have updated the zlib version we use to 1.2.11 
This was included in Installshield 2019 which is available now. 

I hope this information helps. 

vishalbhatt
Flexera beginner

Re: CVEs found in the built .exe file related to ZLIB 1.2.3

Hi @shunt  thanks for the quick reply. Along with the vulnerabilities listed above, our cyber-security software also reported some historical vulnerabilities which mentions the versions of Zlib 1.2 and later and 1.2.x in InstallShield 2016. Here's the list 

 Vulnerabilities (4)Vulnerability Date CVSS v2 CVSS v3 Type
CVE-2016-98412017/05/227.59.8Exact match
CVE-2016-98432017/05/227.59.8Exact match
CVE-2016-98402017/05/226.88.8Exact match
CVE-2016-98422017/05/226.88.8Exact match
 
 Historical vulnerabilities (5)Vulnerability Date CVSS v2 CVSS v3 Type
CVE-2005-20962005/07/057.50.0Historical
CVE-2005-18492005/07/255.00.0Historical
CVE-2004-07972004/10/192.10.0Historical
CVE-2003-01072003/03/067.50.0Historical
CVE-2002-00592002/03/147.50.0Historical

 

As I mentioned before we do not have any immediate plan to upgrade to InstallShield 2019. Is there a way to resolve this in our existing InstallShield version (2016).

Thanks,

Vishal 

0 Kudos
Flexera shunt
Flexera

Re: CVEs found in the built .exe file related to ZLIB 1.2.3

Hi Vishal,

Thanks for the additional information -

Let me go through the additional 5 CVE's that you have reported and hopefully alleviate any concerns you have.

CVE-2005-2096:
https://nvd.nist.gov/vuln/detail/CVE-2005-2096

This states "zlib 1.2 and later" - this is a rather vague statement and it doesn't actually mean zlib 1.2 and every single version created after it. It is only referencing the later versions which existed at the time the article was written.
Towards the bottom of the article we can see "Known Affected Software Configurations" - this lists the versions known to be affected which are 1.2.0, 1.2.1 and 1.2.2
There is no reference to 1.2.3
I have double checked in Flexera's own open source software manager (FlexNet Code Insight) and can confirm that this also does not report this CVE issue in 1.2.3


CVE-2005-1849
https://nvd.nist.gov/vuln/detail/CVE-2005-1849

This article only references zlib 1.2.2


CVE-2004-0797
https://nvd.nist.gov/vuln/detail/CVE-2004-0797

The description in this article states "zlib 1.2.x" - again if we look at the bottom of the article we can see the "Known Affected Software Configurations" are actually sub versions of zlib 1.2.1.x


CVE-2003-0107
https://nvd.nist.gov/vuln/detail/CVE-2003-0107

This references zlib 1.1.4 and not 1.2.3


CVE-2002-0059
https://nvd.nist.gov/vuln/detail/CVE-2002-0059

This references zlib 1.1.3 and earlier and not 1.2.3


I hope this helps,
Stuart

0 Kudos