Skip to main content
JonBe
JonBe
Inspiring
September 7, 2022
Question

Fix critical vulnerabilities in FrameMaker | August 2022

  • September 7, 2022
  • 3 replies
  • 738 views

Hi all,

 

If you have not seen this (as I did not) there is a new vunerability in FM 2019/2020 to do with SVG files and fonts (Fix critical vulnerabilities in FrameMaker | August 2022 (adobe.com)). Note that for us Aussies, the link on the Australian site is broken so you have to use the US site!).

 

For any Adobe folk, was this posted to this community? If not, why not!

 

It would also be nice if the FrameMaker team had packaged up the update, not left it as a manual copy of files.

 

Jon

 

    This topic has been closed for replies.

    3 replies

    LinSims
    Community Expert
    LinSimsCommunity Expert
    Community Expert
    October 19, 2022

    Does anyone know if this was fixed in the FM2022 release, or do we have to do this again?

    JonBe
    JonBeAuthor
    Inspiring
    October 19, 2022

    Hi Lin,

     

    I believe we can be somewhat assured given 2022 was released late September, while the vulnerability update was released in August, and presumably was developed and tested well before, so there was enough time to make sure 2022 was updated. I have modified my update deployment script to parse out the version information from the 2020 update to compare with the equivalent files in 2022, and as you can see below, all are either the same or later versions. This does not guarantee, or course, that the vulnerabilities have been addressed. We can only hope. 🤞

     

    Filename,2020 Update FileVersion,2020 Update ProductVersion,2022 FileVersion,2022 ProductVersion
    ace.dll,3.5.0.51261,79.b8223ff,4.0.0.51311,79.6f59656
    adobepdfl.dll,16.0.7.51261,79.0668cdd,17.0.0.51335,79.ded7f40
    adobesvgagm.dll,3.0.0,1.000001,3.0.0,1.000001
    agm.dll,5.3.1.51261,79.b8223ff,6.0.0.51311,79.6f59656
    are.dll,2.0.6.51261,79.b8223ff,3.0.0.51311,79.6f59656
    bib.dll,2.0.6.51261,79.b8223ff,3.0.0.51311,79.6f59656
    bibutils.dll,2.0.6.51261,79.b8223ff,3.0.0.51311,79.6f59656
    cooltype.dll,6.2.4.51261,79.b8223ff,7.0.0.51311,79.6f59656
    pdfport.dll,3.0.6.51261,79.b8223ff,4.0.0.51311,79.6f59656
    svgexport.dll,7, 1, 2, 0,1.,8, 0, 0, 0,1.
    svgre.dll,7, 1, 2, 0,1.,8, 0, 0, 0,1.
    libeay32.dll,1.0.2v,1.0.2v,1.0.2v,1.0.2v

     

    Jon

      JonBe
      JonBeAuthor
      Inspiring
      October 11, 2022

      Hi all,

       

      As a postscript to this, I have found a odd thing about the 2020 update; it includes a file, libeay32.dll, that does not exist in 2020 with Update 4, or for that matter in previous updates of 2020. This OpenSSL library existed prior to 1.1.0, and with the 1.1.0 release was renamed to libssl-(v).dll (32 bit) or libssl-(v)-x64.dll. See ssleay32 and libeay32 libraries for actual version of OpenSSL-master · Issue #10332 · openssl/openssl · GitHub for the detail.

       

      The renamed OpenSSl library file, libssl-1_1-x64.dll, does exist in the 2020 installation folder as well as 2019.

       

      I opened a support case to see if I could get some understanding of why the additional file was included. I would think including an additional file in an update to address vunerabilties is a very unusual step? However the support person is insisting that it is required. 2020 was working perfectly without it, beforehand. The support person advised it was included with 2022, which I have verified.

       

      Does anyone know of a reason why an older OpenSSL library, 32 bit, would be required for a 64 bit application?

       

      Is there some 32 bit exe that gets launched that was built with OpenSSL 1.0.2 or earlier?

       

      Another little puzzle to resolve! 🙂

       

      Jon

      JonBe
      JonBeAuthor
      Inspiring
      October 19, 2022

      So an update!

       

      An error in my update script masked the fact that FM 2020 will not start if libeay32.dll is not present. This means that one of the updated DLLs must reference it.

      So it must be included.

      frameexpert
      Community Expert
      frameexpertCommunity Expert
      Community Expert
      September 7, 2022

      Thank you Jon. You are right, Jon; the page you linked to is almost a month old and we should have been notified by Adobe right away.

      JonBe
      JonBeAuthor
      Inspiring
      September 8, 2022

      Hi Rick,

       

      Yes it seems very poor to me. While the impact for FrameMaker at least, seems low, Adobe should still have a pinned post in this community. There were also vunerablities in Acrobat, and while there is a pinned post in the Acrobat community about the August updates, I note it does not mention any fixes for vunerabilities. You have to go here for that Adobe Security Bulletin.

       

      My customer reported these vunerabilities to me from here Multiple Vulnerabilities in Adobe Products Could Allow for Arbitrary Code Execution. (cisecurity.org). And this was dated 9th August! It would have been nice for me to have been telling them, not the other way around.

       

      Security by obsecurity never works, imho! 🙂

      Jon

      JonBe
      JonBeAuthor
      Inspiring
      September 8, 2022

      Of course I meant obscurity, but obsecurity seems appropriate. 😉🤣

        Terms & ConditionsAccessibility statement
        Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices