ArcGIS for Desktop Installation support, ArcGIS for Server
CVE-2015-8277
Well, the CVE report is pretty clear--all FlexNet Publisher based licensing using lmgrd and "Vendor" daemons through FNP release 11.13.1.2 are impacted by the vulnerability. Security patch 1 for 11.13.1.2 was reportedly released on 24 November 2015.
Meaning -- ArcGIS 10.3.1 and earlier builds of the License Manager are affected. ArcGIS 10.3.1 uses lmgrd and libFNP.dll version 11.12.1.2 (lmgr.lib 152538 -- built 2015-03-20) is definitely vulnerable.
Vendors on support would have received a source patch from Flexera, released 2015-11-24 along with a new lmgrd.exe build to be compiled by each Vendor into their product for distribution.
Unclear if the ArcGIS 10.4 LM using 11.13.1.2 (lmgr.lib 173302 - dated 2015-12-01 but built by Esri 2016-01-06) has the security patch or not. It is possible but I am unable to verify. That requires access to a FlexNet Publisher SDK which I do not have. Laurene Koman are you still wrangling the FlexNet Publisher stuff? If not, can you poke someone to comment.
Also, not clear if the lmadmin based licensing is affected by the buffer overflow condition. Although the lmgrd services are replaced, it is possibly impacted as the same vulnerable Vendor daemons are used there as well. But that is not an issue for Esri as they do not deploy lmadmin.
Unfortunately I have about a dozen vendor daemons I will have to tighten firewall for, and pester vendors to patch. A pain for some of the programs that we are off support for.
Stuart
