on 2024 Jul 22 5:47 PM
I run the Vulnerability report of my product that uses Crystal Reports for Visual Studio latest Support Pack SP36, and several Critical and High severity issues were found (see packages with their versions below). Can you advise how these vulnerability issues can be eliminated?
The report finds very old versions of some packages - it is very strange to see them in the latest SP.
Package | Version | Modules | Severity | Vulnerabilities |
libicu | 3.0 | crdb_p2ssyb10.dll, icuin30.dll, keydecoder.dll | critical | CVE-2015-5922, CVE-2016-6293, CVE-2017-17484 |
libicu | 3.0 | crdb_p2ssyb10.dll, icuin30.dll, keydecoder.dll | high | CVE-2011-4599, CVE-2014-7923, CVE-2014-7926, CVE-2014-8146, CVE-2014-8147, CVE-2015-5922, CVE-2016-6293, CVE-2017-17484, CVE-2017-7867, CVE-2017-7868, CVE-2020-10532 |
libicu | 3.4 | icuuc30.dll | critical | CVE-2014-9654, CVE-2014-9911, CVE-2015-5922, CVE-2016-6293, CVE-2017-17484 |
libicu | 3.4 | icuuc30.dll | high | CVE-2011-4599, CVE-2014-7923, CVE-2014-7926, CVE-2014-8146, CVE-2014-8147, CVE-2017-7867, CVE-2017-7868, CVE-2020-10531 |
libicu | 4.4 | icuin42.dll | critical | CVE-2014-9911, CVE-2015-5922, CVE-2017-14952, CVE-2017-17484 |
libicu | 4.4 | icuin42.dll | high | CVE-2014-7923, CVE-2014-7926, CVE-2014-8146, CVE-2014-8147, CVE-2017-7867, CVE-2017-7868, CVE-2020-10531 |
libicu | 4.2.1 | icuuc42.dll, icudt42.dll | critical | CVE-2014-9911, CVE-2015-5922, CVE-2016-6293, CVE-2017-17484 |
libicu | 4.2.1 | icuuc42.dll, icudt42.dll | high | CVE-2011-4599, CVE-2014-7923, CVE-2014-7926, CVE-2014-8146, CVE-2014-8147, CVE-2017-7867, CVE-2017-7868, CVE-2020-10531 |
libjpeg | 9a | cslibu-3-0.dll | high | CVE-2020-14153 |
libtiff | 4.5.1 | cslibu-3-0.dll | high | CVE-2023-52355 |
openssl | 1.0.2f | sapcrypto.dll | critical | CVE-2016-2177, CVE-2022-1292, CVE-2022-2068 |
openssl | 1.0.2f | sapcrypto.dll | high | CVE-2016-8610, CVE-2022-0778, CVE-2023-0215, CVE-2023-0464 |
zlib | 1.2.12 | boezlib.dll, zlib.dll | critical | CVE-2022-37434, CVE-2023-45853 |
Here's the response from R&D, from the looks of her response they have all been looked at and none of API's are used by CR or not relevant:
Package | Version | Modules | Severity | Vulnerabilities |
libicu | 3.0 | crdb_p2ssyb10.dll, icuin30.dll, keydecoder.dll | critical | CVE-2015-5922, CVE-2016-6293, CVE-2017-17484 CVE-2015-5922 Crystal reports is not supported on Apple OSX. so not impacted by this CVE-2016-6293 we don't use uloc_acceptLanguageFromHTTP . so not impacted by this CVE-2017-17484 we don't use function ucnv_UTF8FromUTF8
|
libicu | 3.0 | crdb_p2ssyb10.dll, icuin30.dll, keydecoder.dll | high | CVE-2011-4599, CVE-2014-7923, CVE-2014-7926, CVE-2014-8146, CVE-2014-8147, CVE-2015-5922, CVE-2016-6293, CVE-2017-17484, CVE-2017-7867, CVE-2017-7868, CVE-2020-10532 CVE-2011-4599 we don't use _canonicalize function. so we are not impacted by this CVE-2014-7923 we don't use this TP in chrome. So we are not impacted by this CVE-2014-7926 we don't use this TP in chrome. So we are not impacted by this CVE-2014-8146 we don't use resolveImplicitLevels function. So Not impacted by this. CVE-2014-8147 we don't use resolveImplicitLevels function. So Not impacted by this. CVE-2015-5922 Crystal reports is not supported on Apple OSX. so not impacted by this CVE-2016-6293 we don't use uloc_acceptLanguageFromHTTP . so not impacted by this CVE-2017-17484 we don't use function ucnv_UTF8FromUTF8 CVE-2017-7867 we don't use utf8TextAccess function so we are not impacted by this CVE CVE-2017-7868 we don't use utf8TextAccess function so we are not impacted by this CVE CVE-2020-10531 we don't use UnicodeString::doAppend(). So not impacted by this CVE-2020-10532 is it a typo? Icu only has CVE CVE-2020-10531. |
libicu | 3.4 | icuuc30.dll | critical | CVE-2014-9654, CVE-2014-9911, CVE-2015-5922, CVE-2016-6293, CVE-2017-17484 CVE-2015-5922 Crystal reports is not supported on Apple OSX. so not impacted by this CVE-2014-9911 we are not using ures_getByKeyWithFallback . so not impacted by this CVE-2014-9654 we are not using this component in Chrome. So not impacted by this CVE-2016-6293 we don't use function uloc_acceptLanguageFromHTTP CVE-2017-17484 we don't use function ucnv_UTF8FromUTF8
|
libicu | 3.4 | icuuc30.dll | high | CVE-2011-4599, CVE-2014-7923, CVE-2014-7926, CVE-2014-8146, CVE-2014-8147, CVE-2017-7867, CVE-2017-7868, CVE-2020-10531 Duplicated CVEs with icuin30.dll |
libicu | 4.4 | icuin42.dll | critical | CVE-2014-9911, CVE-2015-5922, CVE-2017-14952, CVE-2017-17484 CVE-2014-9911 we are not using ures_getByKeyWithFallback . so not impacted by this CVE-2015-5922 Crystal reports is not supported on Apple OSX. so not impacted by this CVE-2017-14952 we don't use function ZoneMeta::createMetazoneMappings in file icu/i18n/zonemeta.cpp CVE-2017-17484 we don't use function ucnv_UTF8FromUTF8
|
libicu | 4.4 | icuin42.dll | high | CVE-2014-7923, CVE-2014-7926, CVE-2014-8146, CVE-2014-8147, CVE-2017-7867, CVE-2017-7868, CVE-2020-10531 Duplicated CVEs with icuuc30.dll |
libicu | 4.2.1 | icuuc42.dll, icudt42.dll | critical | CVE-2014-9911, CVE-2015-5922, CVE-2016-6293, CVE-2017-17484 Duplicated CVEs with above |
libicu | 4.2.1 | icuuc42.dll, icudt42.dll | high | CVE-2011-4599, CVE-2014-7923, CVE-2014-7926, CVE-2014-8146, CVE-2014-8147, CVE-2017-7867, CVE-2017-7868, CVE-2020-10531 Duplicated CVEs with above |
libjpeg | 9a | cslibu-3-0.dll | high | CVE-2020-14153 False Alarm. We are using jpeg 9d instead of 9a |
libtiff | 4.5.1 | cslibu-3-0.dll | high | CVE-2023-52355 no impact. TIFFRasterScanlineSize64 is not used in crystal reports. |
openssl | 1.0.2f | sapcrypto.dll | critical | CVE-2016-2177, CVE-2022-1292, CVE-2022-2068 These are transitive dependency and main tp has been taken care of all the mitigation of this |
openssl | 1.0.2f | sapcrypto.dll | high | CVE-2016-8610, CVE-2022-0778, CVE-2023-0215, CVE-2023-0464 These are transitive dependency and main tp has been taken care of all the mitigation of this |
zlib | 1.2.12 | boezlib.dll, zlib.dll | critical | CVE-2022-37434, CVE-2023-45853 CVE-2022-37434 We don't call function inflateGetHeader () CVE-2023-45853 We don’t use affected function zipOpenNewFileInZip4_64() |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
61 | |
11 | |
7 | |
7 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.