Announcement Regarding DLL Hijacking Vulnerability
Summary
There was a DLL Hijacking vulnerability in all Astah installers for Windows OSes.
This DLL hijacking vulnerability could allow an unauthenticated remote attacker to run a specific DLL in the background when you execute the Astah installer if any malicious DLL is in the same folder where Astah installer is.
Mac and Linux packages are not affected by this, only EXE installers. Also, this problem does not affect you if you already have installed Astah.
We rebuilt all the Astah installers to resolve this DLL Hijacking vulnerability on December 5th, 2019.
Customers who have Astah installers for redistribution or future re-installation, please read the solutions below.
Affected Products
Astah installers for Windows(.exe files) except Astah version 8.2.
Solutions
Astah Professional & UML
v.8.2
There is no DLL Hijacking vulnerability, so you do not have to do anything.
v.8.1, 8.0 and 7.2
Discard the Astah installer if you have it and download it again from the download page.
On the download page, replaced installers will have the same release date and build number, but it has been rebuilt to resolve this problem.
v.7.1 or earlier
Since these versions are out of support, we do not provide updated installers with a fix to this problem.
Please make sure there is no DLL file that you are not aware of inside the folder where Astah installer is located at executing the Astah installer.
Astah Viewer
v.8.2
There is no DLL Hijacking vulnerability, so you do not have to do anything.
v.8.1 or earlier:
Discard the installer, and please download and use the latest version.
Astah SysML
v.1.5
Discard the Astah installer if you have it and download it again from the download page.
On the download page, replaced installers will have the same release date and build number, but it has been rebuilt to resolve this problem.
v.1.4. and earlier
Since these versions are out of support, we do not provide updated installers with a fix to this problem.
Please make sure there is no DLL file that you are not aware of inside the folder where Astah installer is located at executing the Astah installer.
Astah GSN
v.1.2
Discard the Astah installer if you have it and download it again from the download page.
On the download page, replaced installers will have the same release date and build number, but it has been rebuilt to resolve this problem.
v.1.1 or earlier
Since these versions are out of support, we do not provide updated installers with a fix to this problem.
Please make sure there is no DLL file that you are not aware of inside the folder where Astah installer is located at executing the Astah installer.
Reference Information
Please refer to https://www.kb.cert.org/vuls/id/707943/.
Version History
Contact Us
If this information is not clear to you or if you have any questions, please feel free to contact us.