January 2023 Security Update Advisory

Overview

The Unity Editor, when importing FBX or SketchUp associated file types, is affected by memory corruption vulnerabilities which could lead to remote code execution.

The updated version of the Unity Editor includes the latest version of the Autodesk FBX SDK and SketchUp SDK security patches.

Vulnerability Details

CVE ID: Multiple, see advisories for more details:

ADSK-SA-2022-0022[1]
ADSK-SA-2021-0001[2]

Type: Remote Code Execution

Discovered: 2022/10/03

Discovered By: Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative

Patch Availability: 1/30/2023

Affected Operating System: All supported platforms

Affected Versions: All

Severity: High

Patch Versions: 

  • 2023.1.0a26
  • 2022.2.3f1
  • 2021.3.17f1
  • 2020.3.44f1

Remediation Steps

If your version of the Unity Editor is not one of the listed versions, or higher, in the Patch Versions of the Vulnerability Details section, please update to the latest version available.You can view the current version and check for updates using “Check for Updates” feature in the Unity Editor as described in Manual: Check For Updates for your Unity Editor version.

Frequently asked questions

What type of vulnerability was addressed in this update?

Memory corruption issues were identified that could lead to Remote Code Execution (RCE) and/or Denial-of-Service (DoS).

What platforms are affected?

All platforms for the Unity Editor are affected.

What versions of the Editor are being patched?

We have released a patch for Long Term Support (LTS) and Pre-release (Alpha and Beta) versions. All future versions will contain the update as well.

We use cookies to ensure that we give you the best experience on our website. Visit our cookie policy page for more information.

Got it