March 04, 2019
Security Update Advisory
Unity has identified a Remote Code Execution flaw in the Unity Editor and has rolled out a critical security patch to remediate this issue.
An input string validation issue was identified that could lead to Remote Code Execution (RCE). As a part of Unity’s responsible disclosure program, additional details will be considered to be released to the public after customers have had time to apply the updates.
It does not affect affect built games/applications in any way, only all versions of the Unity Editor for windows are affected. Mac and Linux platforms are not affected by the identified vulnerability.
Unity has released a patched version of the latest Unity Editor versions of the Unity Editor starting with version 5.6 and up to all all officially supported versions up to 2019.2 alpha.
All future versions will contain the update as well.
For version older then 5.6, Unity is providing a mitigation tool that disables the identified vulnerable feature of the Unity Editor which can be downloaded from the Mitigation Tool Guide.
You can select your Unity version with the appropriate patch instructions at Unity Security #CVE-2019-9197
It’s important to remember that the mitigation is not a patch and has limitations.
The mitigation will disable the Unity Editor feature identified as vulnerable, but since it cannot control whether the affected functionality becomes re-enabled at some point .
Unity strongly recommends updating to a fixed version of the Unity Editor to get the benefits of the full patch. You will also no longer be able to use the ‘Open in Unity’ functionality in the web browser version of the Asset Store after applying the mitigation. You may also need to rebuild your asset bundles if any assets are re-imported when you first open your project in the patched version of the Unity Editor.
If you have any questions, please don’t hesitate to contact the Unity Customer Service team at https://support.unity3d.com.
As with all security matters, Unity states to take this situation very seriously. Should any more details be identified, we will update this post.
For complete details see here.