• EN
Question

FME Desktop 2022.2.5 is flagged as having security weaknesses

s.jager
Rank
Badge +8

Hello,

FME Desktop 2022.2.5, using OpenSSL 3.0.8.0, is being flagged by Defender as having three weaknesses: CVE-2023-0464, CVE-2023-0465 and CVE-2023-0466.

 

I can't find anything here about these three: Is there anything known about them? CVE-2023-0465 and CVE-2023-0466 are being re-analyzed, so I appreciate that we need to wait for the outcome of that analysis, but CVE-2023-0464 could potentially be quite harmful.

 

Thanks,

Stefan

3 replies

tino
Rank
Badge +7

I can confirm this, at least our Defender Instance also flags these files and CVEs for FME Desktop/Form:

SoftwareName	SoftwareVersion	VulnerabilitySeverityLevel	CveId	CvssScore	IsExploitAvailable	DiskPath
openssl	3.0.5.0	High	CVE-2023-0286	8.2	0	["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]	
openssl	3.0.5.0	High	CVE-2022-4304	7.5	0	["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]	
openssl	3.0.5.0	High	CVE-2022-3602	7.5	0	["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]	
openssl	3.0.5.0	High	CVE-2023-0215	7.5	0	["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]	
openssl	3.0.5.0	High	CVE-2023-0217	7.5	0	["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]	
openssl	3.0.5.0	High	CVE-2022-4203	7.5	0	["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]	
openssl	3.0.5.0	High	CVE-2023-0401	7.5	0	["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]	
openssl	3.0.5.0	High	CVE-2023-0216	7.5	0	["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]	
openssl	3.0.5.0	High	CVE-2022-4450	7.5	0	["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]	
openssl	3.0.5.0	High	CVE-2022-3786	7.5	0	["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]	
openssl	3.0.5.0	Medium	CVE-2023-0464	5.3	0	["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]	
openssl	3.0.8.0	Medium	CVE-2023-0464	5.3	0	["c:\\bin\\fme222\\libcrypto_fme.dll","c:\\bin\\fme222\\libssl_fme.dll","c:\\bin\\fme230\\libcrypto_fme.dll","c:\\bin\\fme230\\libssl_fme.dll"]
openssl	3.0.5.0	Medium	CVE-2022-3358	5.3	0	["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]
openssl	3.0.5.0	Low	CVE-2023-0465	3.7	0	["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]	
openssl	3.0.8.0	Low	CVE-2023-0465	3.7	0	["c:\\bin\\fme222\\libcrypto_fme.dll","c:\\bin\\fme222\\libssl_fme.dll","c:\\bin\\fme230\\libcrypto_fme.dll","c:\\bin\\fme230\\libssl_fme.dll"]	
openssl	3.0.5.0	Low	CVE-2023-0466	3.7	0	["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]
openssl	3.0.8.0	Low	CVE-2023-0466	3.7	0	["c:\\bin\\fme222\\libcrypto_fme.dll","c:\\bin\\fme222\\libssl_fme.dll","c:\\bin\\fme230\\libcrypto_fme.dll","c:\\bin\\fme230\\libssl_fme.dll"]	
openssl	3.0.5.0	Low	CVE-2022-3996	3.7	0	["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]

(This list includes older issues in older FME versions, which are already mentioned on https://fme.safe.com/security/ )

K

Thanks for sharing.

natalieatsafe
Rank
Badge +6

@Stefan Jager​ @tino​ @klingeltone2023​ Hi there, thank you for highlighting these CVEs. Currently, we are tracking all three of these internally, keeping a close eye on the NVD updates as they roll in. Once we have more information on them, I can provide an update to this thread. I'm sorry I don't have more on this issue at this time.

Reply


Community Stats

28,867
Posts
109,983
Replies
36,671
Members
Terms & ConditionsCookie settings
A product of
Safe Software respectfully acknowledges that we live, learn and work on the traditional and unceded territories of the Kwantlen, Katzie, and Semiahmoo First Nations.