Summary

A Denial of Service vulnerability related to command handling has been identified in FlexNet Publisher lmadmin.exe 11.16.2. See the Symptoms section for more details.

• If you DO NOT distribute lmadmin to your customers, there is no further action on your part.
• If you DO distribute lmadmin to your customers, you must distribute to those same customers the security update mentioned in the Resolution section of this article.

This security vulnerability has been assigned the CVE ID number of CVE-2019-8960.

Symptoms

The message reading function used in lmadmin.exe can, given a certain message, call itself again and then wait for a further message. With a particular flag set in the original message, but no second message received, the function eventually returns an unexpected value which leads to an exception being thrown. The end result can be process termination.

Resolution

FlexNet Publisher 2019 R3 SP1 (11.16.5.1) addresses the security vulnerability and is available from the Flexera/Revenera Product and License Center (login required).

We advise all FlexNet Publisher customers update lmadmin.exe to FlexNet Publisher 11.16.5.1.