May 2020 Security Update Advisory (CVE-2020-12630, CVE-2020-12631)

 

Vulnerabilities Details

Remediation Steps

FAQ

References

Vulnerability Details

CVE ID:

CVE-2020-12630, CVE-2020-12631

Type:

Denial of Service

Discovered:

2020/01/31

Discovered By:

Jack Baker

Patch Availability:

2020/05/19

Affected Operating System:

All supported platforms

Affected Versions:

All

Severity:

High

Patch Versions:

Vulnerability Details

Two out-of-bounds memory issues were identified in the Unity Multiplayer and Networking UNET feature affecting games and applications built with the Unity Editor using UNET. These issues could lead to Denial Of Service (DoS), allowing an attacker to crash the Unity process, and potentially the game or application.

Remediation Steps

Determine the version of your Unity Editor

Open a Unity project

The Unity version is visible in the main window title.

description

Install Update

If your version of the Unity Editor is not one of the listed Patch Versions of the Vulnerability Details section above you can continue with the update installation as follows.

To install the update you can use the Unity Editor update checker available in the File menu Help -> Check for Updates.

description

Additionally, you can download and install the corresponding patch for your version of the Unity Editor. The download links are available in the Patch Versions of the Vulnerabilities Details section and in the References section.

Build and deploy

Once you have updated the Unity Editor, you can move forward with making a new build of your game or application and deploy the new fixed version.

FAQ

What type of vulnerability was addressed in this update?

Two out-of-bounds memory issues were identified that could lead to Denial Of Service (DoS), allowing an attacker to crash the Unity process, and potentially the game or application.

Do these vulnerability affect built games/applications in any way?

Yes. Games and applications built with the Unity Editor using the Unity Multiplayer and Networking UNET feature are affected.

What Unity features are affected?

Only Unity UNET is affected by the identified vulnerabilities.

Will I need to rebuild asset bundles due to the update requirement?

It depends on the specific version of the Unity Editor that you are using. Most customers will be able to update to the patched versions without needing to rebuild their bundles, but some customers may find that asset importers have been updated between the version they are currently using and the patch for that dot-release. For those customers, asset bundle rebuilding may be necessary.

What platforms are affected?

All supported platforms are affected.

What platform versions are affected?

All platform versions are affected.

What versions of Unity are affected?

All versions of the Unity Editor are affected.

What versions of the Unity Editor are being patched?

We have released a patch for all officially supported versions of the Unity Editor up to 2020.2 Alpha. All future versions will contain the update as well.

Will my specific version be patched?

Unity will be releasing a single patch to each of the most current versions, i.e., last update of the Unity Editor.

What about versions 5.6 and older?

Our focus right now is on addressing the identified vulnerabilities in all officially supported versions up to 2020.2 Alpha. We are not planning to release a patch for other versions of Unity.

I have a locked-down older version of Unity 5.x.x. Will you produce a patch for the exact version of Unity that I’m using?

Our focus right now is on addressing the identified vulnerabilities in all officially supported versions up to 2020.2 Alpha. We are not planning to release a patch for other versions of Unity.

How do I know if I’ll need to rebuild my asset bundles?

You may need to rebuild your bundles if any assets are re-imported when you first open your project in the patched version of the Unity Editor.