Question

FME Desktop 2022.2.5 is flagged as having security weaknesses

  • 1 May 2023
  • 3 replies
  • 33 views

Badge +8

Hello,

FME Desktop 2022.2.5, using OpenSSL 3.0.8.0, is being flagged by Defender as having three weaknesses: CVE-2023-0464, CVE-2023-0465 and CVE-2023-0466.

 

I can't find anything here about these three: Is there anything known about them? CVE-2023-0465 and CVE-2023-0466 are being re-analyzed, so I appreciate that we need to wait for the outcome of that analysis, but CVE-2023-0464 could potentially be quite harmful.

 

Thanks,

Stefan


3 replies

Badge +7

I can confirm this, at least our Defender Instance also flags these files and CVEs for FME Desktop/Form:

SoftwareName	SoftwareVersion	VulnerabilitySeverityLevel	CveId	CvssScore	IsExploitAvailable	DiskPath
openssl 3.0.5.0 High CVE-2023-0286 8.2 0 ["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]
openssl 3.0.5.0 High CVE-2022-4304 7.5 0 ["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]
openssl 3.0.5.0 High CVE-2022-3602 7.5 0 ["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]
openssl 3.0.5.0 High CVE-2023-0215 7.5 0 ["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]
openssl 3.0.5.0 High CVE-2023-0217 7.5 0 ["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]
openssl 3.0.5.0 High CVE-2022-4203 7.5 0 ["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]
openssl 3.0.5.0 High CVE-2023-0401 7.5 0 ["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]
openssl 3.0.5.0 High CVE-2023-0216 7.5 0 ["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]
openssl 3.0.5.0 High CVE-2022-4450 7.5 0 ["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]
openssl 3.0.5.0 High CVE-2022-3786 7.5 0 ["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]
openssl 3.0.5.0 Medium CVE-2023-0464 5.3 0 ["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]
openssl 3.0.8.0 Medium CVE-2023-0464 5.3 0 ["c:\\bin\\fme222\\libcrypto_fme.dll","c:\\bin\\fme222\\libssl_fme.dll","c:\\bin\\fme230\\libcrypto_fme.dll","c:\\bin\\fme230\\libssl_fme.dll"]
openssl 3.0.5.0 Medium CVE-2022-3358 5.3 0 ["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]
openssl 3.0.5.0 Low CVE-2023-0465 3.7 0 ["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]
openssl 3.0.8.0 Low CVE-2023-0465 3.7 0 ["c:\\bin\\fme222\\libcrypto_fme.dll","c:\\bin\\fme222\\libssl_fme.dll","c:\\bin\\fme230\\libcrypto_fme.dll","c:\\bin\\fme230\\libssl_fme.dll"]
openssl 3.0.5.0 Low CVE-2023-0466 3.7 0 ["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]
openssl 3.0.8.0 Low CVE-2023-0466 3.7 0 ["c:\\bin\\fme222\\libcrypto_fme.dll","c:\\bin\\fme222\\libssl_fme.dll","c:\\bin\\fme230\\libcrypto_fme.dll","c:\\bin\\fme230\\libssl_fme.dll"]
openssl 3.0.5.0 Low CVE-2022-3996 3.7 0 ["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]

(This list includes older issues in older FME versions, which are already mentioned on https://fme.safe.com/security/ )

Thanks for sharing.

Badge +4

@Stefan Jager​ @tino​ @klingeltone2023​ Hi there, thank you for highlighting these CVEs. Currently, we are tracking all three of these internally, keeping a close eye on the NVD updates as they roll in. Once we have more information on them, I can provide an update to this thread. I'm sorry I don't have more on this issue at this time.

Reply