Did anyone see this...Does it relate to LM 10.3.1 and is there a patch available?
Flexera FlexNet Publisher up to 22.214.171.124 Packet Handler Opcode buffer overflow
Above my head....but tagging ArcGIS Desktop Installation support Maybe Stuart has some input.
Is your license server exposed to the outside world? If not, I wonder if this will have much impact...
Not the outside world but we do have a population of very bright CS
students...if it's an issue we would like to patch.
ArcGIS Desktop Installation support, ArcGIS Enterprise
Well, the CVE report is pretty clear--all FlexNet Publisher based licensing using lmgrd and "Vendor" daemons through FNP release 126.96.36.199 are impacted by the vulnerability. Security patch 1 for 188.8.131.52 was reportedly released on 24 November 2015.
Meaning -- ArcGIS 10.3.1 and earlier builds of the License Manager are affected. ArcGIS 10.3.1 uses lmgrd and libFNP.dll version 184.108.40.206 (lmgr.lib 152538 -- built 2015-03-20) is definitely vulnerable.
Vendors on support would have received a source patch from Flexera, released 2015-11-24 along with a new lmgrd.exe build to be compiled by each Vendor into their product for distribution.
Unclear if the ArcGIS 10.4 LM using 220.127.116.11 (lmgr.lib 173302 - dated 2015-12-01 but built by Esri 2016-01-06) has the security patch or not. It is possible but I am unable to verify. That requires access to a FlexNet Publisher SDK which I do not have. Laurene Koman are you still wrangling the FlexNet Publisher stuff? If not, can you poke someone to comment.
Also, not clear if the lmadmin based licensing is affected by the buffer overflow condition. Although the lmgrd services are replaced, it is possibly impacted as the same vulnerable Vendor daemons are used there as well. But that is not an issue for Esri as they do not deploy lmadmin.
Unfortunately I have about a dozen vendor daemons I will have to tighten firewall for, and pester vendors to patch. A pain for some of the programs that we are off support for.
Please refer to Esri KB 45811 regarding CVE-2015-8277
45811 - Warning of two security vulnerabilities in Flexera FlexNet Publisher
Retrieving data ...