CVE-2022-39143 A vulnerability has been identified in Parasolid

Yepher · September 14, 2022, 10:48pm

Is Shapr3D exposed to this issue?

A vulnerability has been identified in 
Parasolid V33.1 (All versions < V33.1.262), 
Parasolid V33.1 (All versions >= V33.1.262 < V33.1.263), 
Parasolid V34.0 (All versions < V34.0.252), 
Parasolid V34.1 (All versions < V34.1.242), 
Parasolid V35.0 (All versions < V35.0.161), 
Parasolid V35.0 (All versions >= V35.0.161 < V35.0.164), 
Simcenter Femap V2022.1 (All versions < V2022.1.3), 
Simcenter Femap V2022.2 (All versions < V2022.2.2). 

The affected application contains an out of bounds write past the end of an allocated buffer while parsing specially crafted X_T files. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-17493)

https://nvd.nist.gov/vuln/detail/CVE-2022-39143

Just wondering how concerned we should be when importing XT content.

Istvan · September 15, 2022, 9:55am

Hi @Yepher, yes, Shapr3D is impacted too, just like every other Parasolid based CAD. We are updating Parasolid and releasing an update immediately. While the vulnerability is serious, it’s very easy to avoid it: just avoid opening X_T files from unreliable sources. But it’s still perfectly safe to open any file from your PDM or PLM system, or any file from a trusted source.

Yepher · September 15, 2022, 12:57pm

Thank you for the guidence.

I assume we should not load *.shapr files shared on this forum or from places like Printables.com until the patch is complete, or are those safe?

Istvan · September 15, 2022, 1:41pm

Correct. Although realistically the actual risk is quite low.

Laci_K · September 16, 2022, 2:59pm

Hi,

Fix is released, should be available in the coming hours depending on the stores. Version number is 5.214.

TheBum · September 16, 2022, 8:48pm

The update is available for download on the Mac at least. I just started Shapr a few minutes ago and I was prompted to upgrade to 5.214.0.

Pouln · September 18, 2022, 11:06am

Hmm, I don’t receive this update on my ipad. Still on 5.212 dven after closing and reopening the app.

Laci_K · September 18, 2022, 11:07am

Check the App store, there should be an update button when you open the Shapr3D page.

Pouln · September 18, 2022, 11:48am

@Laci_Shapr3D Yep, found it. Not too obvious as it does not show that an update is there. Why doesn’t it update automatically, like other apps?

Laci_K · September 18, 2022, 2:22pm

It depends on when the phased release reaches you. It’s takes a week to reach everyone, but you can manually update at any time.

Pouln · September 18, 2022, 4:23pm

@Laci_K ah ok. Thanks for the explanation.

Topic		Replies	Views
Importing Failure Parasolid and Step Need help? We are here.	8	370	April 13, 2023
Does Shapr3D support assembly yet? Need help? We are here.	8	976	August 28, 2020
Why such odd behaviour? Need help? We are here.	3	511	May 19, 2022
Step import/export glitch Need help? We are here.	2	709	July 23, 2019
Latest design can't be opened all of the sudden Need help? We are here.	2	248	April 19, 2024

CVE-2022-39143 A vulnerability has been identified in Parasolid

Related topics