CVE-2022-39143 A vulnerability has been identified in Parasolid

Is Shapr3D exposed to this issue?

pdf

A vulnerability has been identified in 
Parasolid V33.1 (All versions < V33.1.262), 
Parasolid V33.1 (All versions >= V33.1.262 < V33.1.263), 
Parasolid V34.0 (All versions < V34.0.252), 
Parasolid V34.1 (All versions < V34.1.242), 
Parasolid V35.0 (All versions < V35.0.161), 
Parasolid V35.0 (All versions >= V35.0.161 < V35.0.164), 
Simcenter Femap V2022.1 (All versions < V2022.1.3), 
Simcenter Femap V2022.2 (All versions < V2022.2.2). 

The affected application contains an out of bounds write past the end of an allocated buffer while parsing specially crafted X_T files. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-17493)

https://nvd.nist.gov/vuln/detail/CVE-2022-39143

Just wondering how concerned we should be when importing XT content.

Hi @Yepher, yes, Shapr3D is impacted too, just like every other Parasolid based CAD. We are updating Parasolid and releasing an update immediately. While the vulnerability is serious, it’s very easy to avoid it: just avoid opening X_T files from unreliable sources. But it’s still perfectly safe to open any file from your PDM or PLM system, or any file from a trusted source.

Thank you for the guidence.

I assume we should not load *.shapr files shared on this forum or from places like Printables.com until the patch is complete, or are those safe?

Correct. Although realistically the actual risk is quite low.

1 Like

Hi,

Fix is released, should be available in the coming hours depending on the stores. Version number is 5.214.

The update is available for download on the Mac at least. I just started Shapr a few minutes ago and I was prompted to upgrade to 5.214.0.

1 Like

Hmm, I don’t receive this update on my ipad. Still on 5.212 dven after closing and reopening the app.

Check the App store, there should be an update button when you open the Shapr3D page.

@Laci_Shapr3D Yep, found it. Not too obvious as it does not show that an update is there. Why doesn’t it update automatically, like other apps?

It depends on when the phased release reaches you. It’s takes a week to reach everyone, but you can manually update at any time.

@Laci_K ah ok. Thanks for the explanation.