Hello,
FME Desktop 2022.2.5, using OpenSSL 3.0.8.0, is being flagged by Defender as having three weaknesses: CVE-2023-0464, CVE-2023-0465 and CVE-2023-0466.
I can't find anything here about these three: Is there anything known about them? CVE-2023-0465 and CVE-2023-0466 are being re-analyzed, so I appreciate that we need to wait for the outcome of that analysis, but CVE-2023-0464 could potentially be quite harmful.
Thanks,
Stefan
I can confirm this, at least our Defender Instance also flags these files and CVEs for FME Desktop/Form:
SoftwareName SoftwareVersion VulnerabilitySeverityLevel CveId CvssScore IsExploitAvailable DiskPath
openssl 3.0.5.0 High CVE-2023-0286 8.2 0 -"c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]
openssl 3.0.5.0 High CVE-2022-4304 7.5 0 -"c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]
openssl 3.0.5.0 High CVE-2022-3602 7.5 0 -"c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]
openssl 3.0.5.0 High CVE-2023-0215 7.5 0 -"c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]
openssl 3.0.5.0 High CVE-2023-0217 7.5 0 -"c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]
openssl 3.0.5.0 High CVE-2022-4203 7.5 0 -"c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]
openssl 3.0.5.0 High CVE-2023-0401 7.5 0 -"c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]
openssl 3.0.5.0 High CVE-2023-0216 7.5 0 -"c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]
openssl 3.0.5.0 High CVE-2022-4450 7.5 0 -"c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]
openssl 3.0.5.0 High CVE-2022-3786 7.5 0 -"c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]
openssl 3.0.5.0 Medium CVE-2023-0464 5.3 0 -"c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]
openssl 3.0.8.0 Medium CVE-2023-0464 5.3 0 -"c:\\bin\\fme222\\libcrypto_fme.dll","c:\\bin\\fme222\\libssl_fme.dll","c:\\bin\\fme230\\libcrypto_fme.dll","c:\\bin\\fme230\\libssl_fme.dll"]
openssl 3.0.5.0 Medium CVE-2022-3358 5.3 0 -"c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]
openssl 3.0.5.0 Low CVE-2023-0465 3.7 0 -"c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]
openssl 3.0.8.0 Low CVE-2023-0465 3.7 0 -"c:\\bin\\fme222\\libcrypto_fme.dll","c:\\bin\\fme222\\libssl_fme.dll","c:\\bin\\fme230\\libcrypto_fme.dll","c:\\bin\\fme230\\libssl_fme.dll"]
openssl 3.0.5.0 Low CVE-2023-0466 3.7 0 -"c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]
openssl 3.0.8.0 Low CVE-2023-0466 3.7 0 -"c:\\bin\\fme222\\libcrypto_fme.dll","c:\\bin\\fme222\\libssl_fme.dll","c:\\bin\\fme230\\libcrypto_fme.dll","c:\\bin\\fme230\\libssl_fme.dll"]
openssl 3.0.5.0 Low CVE-2022-3996 3.7 0 -"c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"] (This list includes older issues in older FME versions, which are already mentioned on https://fme.safe.com/security/ )
Thanks for sharing.
@Stefan Jager @tino @klingeltone2023 Hi there, thank you for highlighting these CVEs. Currently, we are tracking all three of these internally, keeping a close eye on the NVD updates as they roll in. Once we have more information on them, I can provide an update to this thread. I'm sorry I don't have more on this issue at this time.
Hi
You can download our FME products on our Safe.com downloads page. If you’re interested, you can also check out our FME Security page, where we post information on any significant security vulnerabilities that may affect FME products, and where you can subscribe to receive our security notifications.
Thank you for your patience on this issue, and if you have any lingering questions, please don’t hesitate to post them here!