Vulnerable components in Edge/WebView DLLs?

New Contributor

We are using a vulnerability scanner (Black Duck in this case) to scan for packages we may include/distribute/depend on in our products and the BD is complaining about old zlib, openssl and sqlite3 components inside some of the DLLs distributed in WebView2 redistributable. These same vulnerable (staticly linked?) components seem to be in folders under Edge folders in Windows's Edge install. 

 

Specifically the components used are outdated and contain up to CVSS 9.8 scored vulnerabilities. Atleast mip_core.dll contains old 1.0.2 openssl and 3.24 sqlite3 parts. Just wondering is there somewhere this can be reported or queried why this is the case? Its just a bit hard to try to explain to our own customers why we are spreading components with vulnerabilities in them.

 

Does anyone have some insight on the process of reporting or finding answers on the components used in webview2 and edge?

3 Replies
In case you are using the latest version of the Microsoft Edge, your system is patch, and you are protected, and I believe this is a false-positive detection.
You may contact the vulnerability scanner's vendor and see what they have to say and if they believe this is a real security issue or vulnerabilities, let us know.
What version numbers of Edge and WebView are you seeing this in?

@josh_bodner The latest WebView runtime available to download (101.0.1210.39) also the Edge says the same version. The exact problem is that Black Duck (which I have no reason to doubt as of yet, but of course who knows) detects that for example mip_core.dll contains OpenSSL code v1.0.2t (which is quite a lot behind of the 1.0.2za of that 1.0.2 branch) and sqlite3 v.3.24.0 instead of 3.83.3 which is the newest. sqlite3 version contains about a dozen CVEs on it and

 

Also several DLLs (ex. libGLESv2.dll, libsmartscreen.dll, msedge.dll.....contains zlib 1.2.11 but that is to be expected since the latest 1.2.12 was just released within a month.