First published: 21th April 2022
Last updated: 3rd June 2022
A vulnerability has been found in the implementation of the ZLIB library. This affects the following supported DriveLock products (supported by the time this bulletin was created):
The detected vulnerability in ZLIB before version 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches. DriveLock uses this library mainly to decompress previously packed files, which doesn't affect security due to the nature of this vulnerability.
The DriveLock Support Companion uses the library to pack all collected DriveLock log data files into a single ZIP file. If one of these files would have been manipulated to make use of the detected vulnerability, this would only cause the DriveLock Support Companion to crash.
A full list of related CVEs is available listed in the following section.
This vulnerability can be mitigated by not using the DriveLock Support Agent to collect all trace files or use the DOC to collect and upload the trace files.
A patch for DriveLock 2022.1 and our latest long-term support
release 2021.2 has been released. Customers can update their DriveLock agents to one of
these two versions.
We recommend to always use the latest available version.