cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

HOTFIX: Vulnerabilities in installers created from InstallShield 2018 R2 due to zlib 1.2.3

HOTFIX: Vulnerabilities in installers created from InstallShield 2018 R2 due to zlib 1.2.3

Symptoms:

Vulnerabilities CVE-2016-9843, CVE-2016-9842, CVE-2016-9841, CVE-2016-9840 are generically flagged against version 1.2.8 and less of zlib. Although there is no specific tagging of zlib version 1.2.3, InstallShield has proactively upgraded the version of zlib used from 1.2.3 to 1.2.11 to avoid generic vulnerability flagging.

Diagnosis:

A few binary scans show vulnerabilities associated with a different version of zlib (Ex 1.2.2 or 1.2.8) against compressed bootstrappers(setup.exe) built out of InstallShield 2018 R2. The results are confusing since the vulnerabilities are not for version 1.2.3 and yet appear in security scans causing customers to be concerned.

Solution:

This issue is being tracked under issue #IOJ-1900586. Engineering has released a hotfix that avoids generic vulnerability flagging by upgrading the version of Zlib to 1.2.11 which has no known vulnerabilities at the time of writing this article.

Additional Information:

Below is the download link for the zlib Patch of InstallShield 2018 R2:

https://flexerasoftware.flexnetoperations.com/control/inst/AnonymousDownload?dkey=14557347

Was this article helpful? Yes No
No ratings
Comments

Is a hotfix planned also for InstallShield Express 2019 R2 ? I am having issues with virus checkers flagging even the most basic setup.exe build with InstallShield Express 2019 R2 as having Malware/virus potentially in them.

 

With regards,

 

Mark

Hello
Is there maybe also a hotfix available for InstallShield 2015 SP2 Professional Edition that we use. Our NEC quality department requested us to resolve this vulnerability.

I hope this can be solved (in the context of InstallShield 2015 SP2).

Anyone of InstallShield that can answer this or provide other options.
Would be highly appreciated by our NEC Japanese management.

Henk van der Vaart
NEC Nederland B.V.
The Netherlands

Version history
Last update:
‎Oct 23, 2019 07:41 AM
Updated by:
Contributors