cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
danielkfl
Level 2

Zlib vulnerability CVE-2022-37434

Jump to solution

Hi Experts,

We use InstallShield for our software and we noticed a 9.8 rated critical finding in our latest OSS scan. The finding is related to Zlib. See: https://nvd.nist.gov/vuln/detail/CVE-2022-37434
Apparently this vulnerability can only be exploited if a specific method - inflateGetHeader -  is called. Therefore I'd like to know if InstallShield 2021 is affected.

So far there is no hotfix by Zlib, but there's already a request on GitHub. https://github.com/madler/zlib/issues/692

Best regards,
Daniel

Labels (1)
0 Kudos
1 Solution
vdonga
Revenera Moderator Revenera Moderator
Revenera Moderator

Hello @danielkfl 

This is Venkat Donga, Product Manager for InstallShield. Thanks for bringing this to our attention. We have reviewed this vulnerability and in our analysis it seems to affect apps only if the method 'inflateGetHeader' from zlib is invoked. Neither InstallShield nor other third party components used in InstallShield are calling this method. 

So, it's safe to say that InstallShield is not affected by this vulnerability.

Please let us know if you have any further questions on this.

View solution in original post

0 Kudos
3 Replies
shunt
Revenera Moderator Revenera Moderator
Revenera Moderator

Thanks for this Daniel - I've sent this across to our Installshield Developers so they are aware of this and we'll update this thread as soon as we have more information.

0 Kudos
vdonga
Revenera Moderator Revenera Moderator
Revenera Moderator

Hello @danielkfl 

This is Venkat Donga, Product Manager for InstallShield. Thanks for bringing this to our attention. We have reviewed this vulnerability and in our analysis it seems to affect apps only if the method 'inflateGetHeader' from zlib is invoked. Neither InstallShield nor other third party components used in InstallShield are calling this method. 

So, it's safe to say that InstallShield is not affected by this vulnerability.

Please let us know if you have any further questions on this.

0 Kudos

Many thanks for the quicky analysis!

0 Kudos