FlexLM - license, manager, vulnerability

02-24-2016 01:54 PM
New Contributor III

Did anyone see this...Does it relate to LM 10.3.1 and is there a patch available?

Flexera FlexNet Publisher up to Packet Handler Opcode buffer overflow

0 Kudos
5 Replies
MVP Esteemed Contributor

Above my head....but tagging ArcGIS for Desktop Installation support​    Maybe Stuart has some input.

0 Kudos
Esri Esteemed Contributor

Is your license server exposed to the outside world? If not, I wonder if this will have much impact...

0 Kudos
New Contributor III

Not the outside world but we do have a population of very bright CS

students...if it's an issue we would like to patch.

0 Kudos
MVP Frequent Contributor

ArcGIS for Desktop Installation support​, ArcGIS for Server


Well, the CVE report is pretty clear--all FlexNet Publisher based licensing using lmgrd and "Vendor" daemons through FNP release are impacted by the vulnerability.  Security patch 1 for was reportedly released on 24 November 2015.

Meaning -- ArcGIS 10.3.1 and earlier builds of the License Manager are affected. ArcGIS 10.3.1 uses lmgrd and libFNP.dll version  (lmgr.lib 152538 -- built 2015-03-20) is definitely vulnerable. 

Vendors on support would have received a source patch from Flexera, released 2015-11-24 along with a new lmgrd.exe build  to be compiled by each Vendor into their product for distribution.

Unclear if the ArcGIS 10.4 LM using  (lmgr.lib 173302 - dated 2015-12-01 but built by Esri 2016-01-06) has the security patch or not.   It is possible but I am unable to verify. That requires access to a FlexNet Publisher SDK which I do not have.  Laurene Koman​ are you still wrangling the FlexNet Publisher stuff? If not, can you poke someone to comment.

Also, not clear if the lmadmin based licensing is affected  by the buffer overflow condition. Although the lmgrd services are replaced, it is possibly impacted as the same vulnerable Vendor daemons are used there as well. But that is not an issue for Esri as they do not deploy lmadmin.

Unfortunately I have about a dozen vendor daemons I will have to tighten firewall for, and pester vendors to patch. A pain for some of the programs that we are off support for.


Esri Contributor