HOTFIX: Vulnerabilities in installers created from InstallShield 2018 R2 due to zlib 1.2.3
HOTFIX: Vulnerabilities in installers created from InstallShield 2018 R2 due to zlib 1.2.3
Symptoms:
Vulnerabilities CVE-2016-9843, CVE-2016-9842, CVE-2016-9841, CVE-2016-9840 are generically flagged against version 1.2.8 and less of zlib. Although there is no specific tagging of zlib version 1.2.3, InstallShield has proactively upgraded the version of zlib used from 1.2.3 to 1.2.11 to avoid generic vulnerability flagging.
Diagnosis:
A few binary scans show vulnerabilities associated with a different version of zlib (Ex 1.2.2 or 1.2.8) against compressed bootstrappers(setup.exe) built out of InstallShield 2018 R2. The results are confusing since the vulnerabilities are not for version 1.2.3 and yet appear in security scans causing customers to be concerned.
Solution:
This issue is being tracked under issue #IOJ-1900586. Engineering has released a hotfix that avoids generic vulnerability flagging by upgrading the version of Zlib to 1.2.11 which has no known vulnerabilities at the time of writing this article.
Additional Information:
Below is the download link for the zlib Patch of InstallShield 2018 R2:
