FlexLM - license, manager, vulnerability

3680
5
02-24-2016 01:54 PM
ScottRutzmoser2
New Contributor III

Did anyone see this...Does it relate to LM 10.3.1 and is there a patch available?

Flexera FlexNet Publisher up to 11.13.1.2 Packet Handler Opcode buffer overflow

0 Kudos
5 Replies
RebeccaStrauch__GISP
MVP Esteemed Contributor

Above my head....but tagging ArcGIS for Desktop Installation support​    Maybe Stuart has some input.

0 Kudos
XanderBakker
Esri Esteemed Contributor

Is your license server exposed to the outside world? If not, I wonder if this will have much impact...

0 Kudos
ScottRutzmoser2
New Contributor III

Not the outside world but we do have a population of very bright CS

students...if it's an issue we would like to patch.

0 Kudos
V_StuartFoote
MVP Frequent Contributor

ArcGIS for Desktop Installation support​, ArcGIS for Server

CVE-2015-8277

Well, the CVE report is pretty clear--all FlexNet Publisher based licensing using lmgrd and "Vendor" daemons through FNP release 11.13.1.2 are impacted by the vulnerability.  Security patch 1 for 11.13.1.2 was reportedly released on 24 November 2015.

Meaning -- ArcGIS 10.3.1 and earlier builds of the License Manager are affected. ArcGIS 10.3.1 uses lmgrd and libFNP.dll version 11.12.1.2  (lmgr.lib 152538 -- built 2015-03-20) is definitely vulnerable. 

Vendors on support would have received a source patch from Flexera, released 2015-11-24 along with a new lmgrd.exe build  to be compiled by each Vendor into their product for distribution.

Unclear if the ArcGIS 10.4 LM using 11.13.1.2  (lmgr.lib 173302 - dated 2015-12-01 but built by Esri 2016-01-06) has the security patch or not.   It is possible but I am unable to verify. That requires access to a FlexNet Publisher SDK which I do not have.  Laurene Koman​ are you still wrangling the FlexNet Publisher stuff? If not, can you poke someone to comment.

Also, not clear if the lmadmin based licensing is affected  by the buffer overflow condition. Although the lmgrd services are replaced, it is possibly impacted as the same vulnerable Vendor daemons are used there as well. But that is not an issue for Esri as they do not deploy lmadmin.

Unfortunately I have about a dozen vendor daemons I will have to tighten firewall for, and pester vendors to patch. A pain for some of the programs that we are off support for.

Stuart

ChristianWells
Esri Contributor