Skip to main content
Solved

FME Desktop 2022.2.5 is flagged as having security weaknesses

s.jager
Influencer
Forum|alt.badge.img+16

Hello,

FME Desktop 2022.2.5, using OpenSSL 3.0.8.0, is being flagged by Defender as having three weaknesses: CVE-2023-0464, CVE-2023-0465 and CVE-2023-0466.

 

I can't find anything here about these three: Is there anything known about them? CVE-2023-0465 and CVE-2023-0466 are being re-analyzed, so I appreciate that we need to wait for the outcome of that analysis, but CVE-2023-0464 could potentially be quite harmful.

 

Thanks,

Stefan

Best answer by natalieatsafe

@Stefan Jager​ @tino​ @klingeltone2023​ Hi there, thank you for highlighting these CVEs. Currently, we are tracking all three of these internally, keeping a close eye on the NVD updates as they roll in. Once we have more information on them, I can provide an update to this thread. I'm sorry I don't have more on this issue at this time.

View original
    Did this help you find an answer to your question?

    4 replies

    tino
    Contributor
    Forum|alt.badge.img+16
    • tinoContributor
    • Contributor
    • May 2, 2023

    I can confirm this, at least our Defender Instance also flags these files and CVEs for FME Desktop/Form:

    SoftwareName	SoftwareVersion	VulnerabilitySeverityLevel	CveId	CvssScore	IsExploitAvailable	DiskPath
openssl	3.0.5.0	High	CVE-2023-0286	8.2	0	["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]	
openssl	3.0.5.0	High	CVE-2022-4304	7.5	0	["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]	
openssl	3.0.5.0	High	CVE-2022-3602	7.5	0	["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]	
openssl	3.0.5.0	High	CVE-2023-0215	7.5	0	["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]	
openssl	3.0.5.0	High	CVE-2023-0217	7.5	0	["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]	
openssl	3.0.5.0	High	CVE-2022-4203	7.5	0	["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]	
openssl	3.0.5.0	High	CVE-2023-0401	7.5	0	["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]	
openssl	3.0.5.0	High	CVE-2023-0216	7.5	0	["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]	
openssl	3.0.5.0	High	CVE-2022-4450	7.5	0	["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]	
openssl	3.0.5.0	High	CVE-2022-3786	7.5	0	["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]	
openssl	3.0.5.0	Medium	CVE-2023-0464	5.3	0	["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]	
openssl	3.0.8.0	Medium	CVE-2023-0464	5.3	0	["c:\\bin\\fme222\\libcrypto_fme.dll","c:\\bin\\fme222\\libssl_fme.dll","c:\\bin\\fme230\\libcrypto_fme.dll","c:\\bin\\fme230\\libssl_fme.dll"]
openssl	3.0.5.0	Medium	CVE-2022-3358	5.3	0	["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]
openssl	3.0.5.0	Low	CVE-2023-0465	3.7	0	["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]	
openssl	3.0.8.0	Low	CVE-2023-0465	3.7	0	["c:\\bin\\fme222\\libcrypto_fme.dll","c:\\bin\\fme222\\libssl_fme.dll","c:\\bin\\fme230\\libcrypto_fme.dll","c:\\bin\\fme230\\libssl_fme.dll"]	
openssl	3.0.5.0	Low	CVE-2023-0466	3.7	0	["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]
openssl	3.0.8.0	Low	CVE-2023-0466	3.7	0	["c:\\bin\\fme222\\libcrypto_fme.dll","c:\\bin\\fme222\\libssl_fme.dll","c:\\bin\\fme230\\libcrypto_fme.dll","c:\\bin\\fme230\\libssl_fme.dll"]	
openssl	3.0.5.0	Low	CVE-2022-3996	3.7	0	["c:\\bin\\fme221\\libcrypto_fme.dll","c:\\bin\\fme221\\libssl_fme.dll"]

    (This list includes older issues in older FME versions, which are already mentioned on https://fme.safe.com/security/ )

    K

    Thanks for sharing.

    natalieatsafe
    Safer
    Forum|alt.badge.img+11

    @Stefan Jager​ @tino​ @klingeltone2023​ Hi there, thank you for highlighting these CVEs. Currently, we are tracking all three of these internally, keeping a close eye on the NVD updates as they roll in. Once we have more information on them, I can provide an update to this thread. I'm sorry I don't have more on this issue at this time.

    natalieatsafe
    Safer
    Forum|alt.badge.img+11

    Hi @s.jager , @tino , @klingeltone2023  I apologize for my delay in updating this thread. I’m happy to let you know that the three CVEs mentioned above, CVE-2023-0464, -0465, and -0466, have all been resolved for our FME Platform beginning with FME 2023.2. If you have not already done so, we would encourage you to consider an upgrade to your FME assets, to at least version 2023.2, in order to move away from these identified vulnerabilities.

    You can download our FME products on our Safe.com downloads page. If you’re interested, you can also check out our FME Security page, where we post information on any significant security vulnerabilities that may affect FME products, and where you can subscribe to receive our security notifications.

    Thank you for your patience on this issue, and if you have any lingering questions, please don’t hesitate to post them here!

    Reply


    Most helpful members this week

    Community Stats

    30,846
    Posts
    116,935
    Replies
    38,669
    Members
    Terms & ConditionsCookie settings

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

     
    Cookie settings
    A product of
    Safe Software respectfully acknowledges that we live, learn and work on the traditional and unceded territories of the Kwantlen, Katzie, and Semiahmoo First Nations.