CVE-2018-20034 remediated in FlexNet Publisher

Title

Summary

CVE-2018-20034 has been discovered and remediated in FlexNet Publisher

Symptoms

****Only the following information is permitted to be distributed outside of Flexera Software and customers of FlexNet Publisher:
- CVE number
- CWE ID
- CVSS scores
- Reference to any publicly-available information
****

A Denial of Service vulnerability related to adding an item to a list in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor daemon to stop, and the vendor daemon to shut down.

Depending upon the license model(s) you offer to your customers, you may or may not distribute one or both of these components to one or more of your customers. If you don’t distribute either of these components, there is no further action on your part. If you do, you must distribute to those same customers the security update mentioned in the Resolution section of this article.

This security vulnerability has been assigned the CVE ID number of CVE-2018-20034.

Cause

For security reasons, Flexera will not publish the cause of this security vulnerability.

Steps To Reproduce

For security reasons, Flexera Software will not publish the steps to reproduce this security vulnerability.

Resolution

The FlexNet Publisher 11.16.2 addresses the security vulnerability and is available from Flexera’s Product and License Center (https://flexerasoftware.flexnetoperations.com/control/inst/login?nextURL=%2Fcontrol%2Finst%2Findex):

FlexNet Publisher 2018 R4

We advise all FlexNet Publisher customers update lmgrd to FlexNet Publisher 11.16.2, and the vendor daemon as soon as possible after that. Please note that lmadmin or clients are not affected.
As a reminder, Flexera no longer distributes the lmgrd executables to end customers; your end customers can only receive the lmgrd executable from you.

Workaround

No workaround available.

Additional Information

Please be aware that network access to the FlexNet Publisher License Server would be necessary to perform any attack. Protecting the license server from unauthorized access is essential to minimize the opportunities for any of the vulnerabilities to be exploited. Customers are also strongly advised to follow best practice in protecting the license server from unauthorized access.

Related Documents

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20034

https://nvd.nist.gov/vuln/detail/CVE-2018-20034

Was this helpful?

Support Hub

Product

FlexNet Publisher

Visibility

Guest

URL Name

cve-2018-20034-remediated-in-flexnet-publisher

Are you sure you want to cancel the case creation?

Case closed successfully

Action performed successfully

Upload Attachment

Maximum file size allowed is 3 MB.

File type not supported.

Supported file types:

Documents (.txt, .doc, .docx, .pdf), Images (.jpg, .png), Comma Separated Files (.csv) Speadsheets (.xlsx, .xls)

Are you sure you want to close this case

Get Hotline support

Products	Region	Phone Numbers
FlexNet Operations FlexNet Embedded FlexNet Publisher FlexNet Connect FlexNet Code Insight InstallAnywhere InstallShield	North America *	+1 630-332-2513 (toll) +1 877-279-2853 (toll-free in North America)
	Europe *	+44 1925 944367 (toll) +44 800 047 8642 (toll-free in Europe)
	Japan *	+81 3-4540-5335 (select option 2)
	Australia *	+61 3 9895 2177 +61 1800 560 603 (toll-free in Australia)
Usage Intelligence (formerly Revulytics) Compliance Intelligence	Please use the Case Portal to submit your support ticket or reach out to your Revenera contact.