Skip to main content
Solved

FME Desktop 2022.2.5 is flagged as having security weaknesses

  • May 1, 2023
  • 4 replies
  • 167 views
s.jager
Influencer
Forum|alt.badge.img+20

Hello,

FME Desktop 2022.2.5, using OpenSSL 3.0.8.0, is being flagged by Defender as having three weaknesses: CVE-2023-0464, CVE-2023-0465 and CVE-2023-0466.

 

I can't find anything here about these three: Is there anything known about them? CVE-2023-0465 and CVE-2023-0466 are being re-analyzed, so I appreciate that we need to wait for the outcome of that analysis, but CVE-2023-0464 could potentially be quite harmful.

 

Thanks,

Stefan

Best answer by natalieatsafe

@Stefan Jager​ @tino​ @klingeltone2023​ Hi there, thank you for highlighting these CVEs. Currently, we are tracking all three of these internally, keeping a close eye on the NVD updates as they roll in. Once we have more information on them, I can provide an update to this thread. I'm sorry I don't have more on this issue at this time.

    This post is closed to further activity.
    It may be an old question, an answered question, an implemented idea, or a notification-only post.
    Please check post dates before relying on any information in a question or answer.
    For follow-up or related questions, please post a new question or idea.
    If there is a genuine update to be made, please contact us and request that the post is reopened.

    4 replies

    tino
    Supporter
    Forum|alt.badge.img+23
    • tinoSupporter
    • Supporter
    • 30 replies
    • May 2, 2023

    I can confirm this, at least our Defender Instance also flags these files and CVEs for FME Desktop/Form:

    SoftwareName	SoftwareVersion	VulnerabilitySeverityLevel	CveId	CvssScore	IsExploitAvailable	DiskPath
    openssl	3.0.5.0	High	CVE-2023-0286	8.2	0	["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]	
    openssl	3.0.5.0	High	CVE-2022-4304	7.5	0	["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]	
    openssl	3.0.5.0	High	CVE-2022-3602	7.5	0	["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]	
    openssl	3.0.5.0	High	CVE-2023-0215	7.5	0	["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]	
    openssl	3.0.5.0	High	CVE-2023-0217	7.5	0	["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]	
    openssl	3.0.5.0	High	CVE-2022-4203	7.5	0	["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]	
    openssl	3.0.5.0	High	CVE-2023-0401	7.5	0	["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]	
    openssl	3.0.5.0	High	CVE-2023-0216	7.5	0	["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]	
    openssl	3.0.5.0	High	CVE-2022-4450	7.5	0	["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]	
    openssl	3.0.5.0	High	CVE-2022-3786	7.5	0	["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]	
    openssl	3.0.5.0	Medium	CVE-2023-0464	5.3	0	["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]	
    openssl	3.0.8.0	Medium	CVE-2023-0464	5.3	0	["c:\\bin\\fme222\\libcrypto_fme.dll","c:\\bin\\fme222\\libssl_fme.dll","c:\\bin\\fme230\\libcrypto_fme.dll","c:\\bin\\fme230\\libssl_fme.dll"]
    openssl	3.0.5.0	Medium	CVE-2022-3358	5.3	0	["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]
    openssl	3.0.5.0	Low	CVE-2023-0465	3.7	0	["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]	
    openssl	3.0.8.0	Low	CVE-2023-0465	3.7	0	["c:\\bin\\fme222\\libcrypto_fme.dll","c:\\bin\\fme222\\libssl_fme.dll","c:\\bin\\fme230\\libcrypto_fme.dll","c:\\bin\\fme230\\libssl_fme.dll"]	
    openssl	3.0.5.0	Low	CVE-2023-0466	3.7	0	["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]
    openssl	3.0.8.0	Low	CVE-2023-0466	3.7	0	["c:\\bin\\fme222\\libcrypto_fme.dll","c:\\bin\\fme222\\libssl_fme.dll","c:\\bin\\fme230\\libcrypto_fme.dll","c:\\bin\\fme230\\libssl_fme.dll"]	
    openssl	3.0.5.0	Low	CVE-2022-3996	3.7	0	["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]

    (This list includes older issues in older FME versions, which are already mentioned on https://fme.safe.com/security/ )

    K

    Thanks for sharing.

    natalieatsafe
    Safer
    Forum|alt.badge.img+11
    • natalieatsafeSafer
    • Safer
    • 117 replies
    • Best Answer
    • May 15, 2023

    @Stefan Jager​ @tino​ @klingeltone2023​ Hi there, thank you for highlighting these CVEs. Currently, we are tracking all three of these internally, keeping a close eye on the NVD updates as they roll in. Once we have more information on them, I can provide an update to this thread. I'm sorry I don't have more on this issue at this time.

    natalieatsafe
    Safer
    Forum|alt.badge.img+11
    • natalieatsafeSafer
    • Safer
    • 117 replies
    • July 19, 2024

    Hi @s.jager , @tino , @klingeltone2023  I apologize for my delay in updating this thread. I’m happy to let you know that the three CVEs mentioned above, CVE-2023-0464, -0465, and -0466, have all been resolved for our FME Platform beginning with FME 2023.2. If you have not already done so, we would encourage you to consider an upgrade to your FME assets, to at least version 2023.2, in order to move away from these identified vulnerabilities.

    You can download our FME products on our Safe.com downloads page. If you’re interested, you can also check out our FME Security page, where we post information on any significant security vulnerabilities that may affect FME products, and where you can subscribe to receive our security notifications.

    Thank you for your patience on this issue, and if you have any lingering questions, please don’t hesitate to post them here!

    Community Stats

    32,100
    Posts
    121,896
    Replies
    39,746
    Members

    Latest FME

    Terms & ConditionsCookie settingsAccessibility statement
    A product of
    Safe Software respectfully acknowledges that we live, learn and work on the traditional and unceded territories of the Kwantlen, Katzie, and Semiahmoo First Nations.