Overview
The Unity Editor, when importing FBX or SketchUp associated file types, is affected by memory corruption vulnerabilities which could lead to remote code execution.
The updated version of the Unity Editor includes the latest version of the Autodesk FBX SDK and SketchUp SDK security patches.
Vulnerability Details
CVE ID: Multiple, see advisories for more details:
ADSK-SA-2022-0022[1]
ADSK-SA-2021-0001[2]
Type: Remote Code Execution
Discovered: 2022/10/03
Discovered By: Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative
Patch Availability: 1/30/2023
Affected Operating System: All supported platforms
Affected Versions: All
Severity: High
Patch Versions:
- 2023.1.0a26
- 2022.2.3f1
- 2021.3.17f1
- 2020.3.44f1
Remediation Steps
If your version of the Unity Editor is not one of the listed versions, or higher, in the Patch Versions of the Vulnerability Details section, please update to the latest version available.You can view the current version and check for updates using “Check for Updates” feature in the Unity Editor as described in Manual: Check For Updates for your Unity Editor version.
Frequently asked questions
Memory corruption issues were identified that could lead to Remote Code Execution (RCE) and/or Denial-of-Service (DoS).
All platforms for the Unity Editor are affected.
We have released a patch for Long Term Support (LTS) and Pre-release (Alpha and Beta) versions. All future versions will contain the update as well.