Summary

There was a DLL Hijacking vulnerability in all Astah installers for Windows OSes.

This DLL hijacking vulnerability could allow an unauthenticated remote attacker to run a specific DLL in the background when you execute the Astah installer if any malicious DLL is in the same folder where Astah installer is.

Mac and Linux packages are not affected by this, only EXE installers. Also, this problem does not affect you if you already have installed Astah.

We rebuilt all the Astah installers to resolve this DLL Hijacking vulnerability on December 5th, 2019.

Customers who have Astah installers for redistribution or future re-installation, please read the solutions below.


Affected Products

Astah installers for Windows(.exe files) except Astah version 8.2.


Solutions

Astah Professional & UML

v.8.2

There is no DLL Hijacking vulnerability, so you do not have to do anything.

v.8.1, 8.0 and 7.2

Discard the Astah installer if you have it and download it again from the download page.
On the download page, replaced installers will have the same release date and build number, but it has been rebuilt to resolve this problem.

v.7.1 or earlier

Since these versions are out of support, we do not provide updated installers with a fix to this problem.
Please make sure there is no DLL file that you are not aware of inside the folder where Astah installer is located at executing the Astah installer.


Astah Viewer

v.8.2

There is no DLL Hijacking vulnerability, so you do not have to do anything.

v.8.1 or earlier:

Discard the installer, and please download and use the latest version.


Astah SysML

v.1.5

Discard the Astah installer if you have it and download it again from the download page.
On the download page, replaced installers will have the same release date and build number, but it has been rebuilt to resolve this problem.

v.1.4. and earlier

Since these versions are out of support, we do not provide updated installers with a fix to this problem.
Please make sure there is no DLL file that you are not aware of inside the folder where Astah installer is located at executing the Astah installer.


Astah GSN

v.1.2

Discard the Astah installer if you have it and download it again from the download page.
On the download page, replaced installers will have the same release date and build number, but it has been rebuilt to resolve this problem.

v.1.1 or earlier

Since these versions are out of support, we do not provide updated installers with a fix to this problem.
Please make sure there is no DLL file that you are not aware of inside the folder where Astah installer is located at executing the Astah installer.


Reference Information

Please refer to https://www.kb.cert.org/vuls/id/707943/.


Version History


Contact Us

If this information is not clear to you or if you have any questions, please feel free to contact us.