Security Bulletin #22-001 - ZLIB external library vulnerability

First published: 21th April 2022
Last updated: 3rd June 2022
Severity: Low


A vulnerability has been found in the implementation of the ZLIB library. This affects the following supported DriveLock products (supported by the time this bulletin was created):

  • DriveLock 2019.2
  • DriveLock 2020.2
  • DriveLock 2021.1
  • DriveLock 2021.2
  • DriveLock 2022.1


The detected vulnerability in ZLIB before version 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches. DriveLock uses this library mainly to decompress previously packed files, which doesn't affect security due to the nature of this vulnerability.

The DriveLock Support Companion uses the library to pack all collected DriveLock log data files into a single ZIP file. If one of these files would have been manipulated to make use of the detected vulnerability, this would only cause the DriveLock Support Companion to crash.

A full list of related CVEs is available listed in the following section.



This vulnerability can be mitigated by not using the DriveLock Support Agent to collect all trace files or use the DOC to collect and upload the trace files.

How to update your environment

A patch for DriveLock 2022.1 and our latest long-term support release 2021.2 has been released. Customers can update their DriveLock agents to one of these two versions.
We recommend to always use the latest available version.