Summary

A Denial of Service vulnerability was discovered in FlexNet Publisher's lmadmin 11.16.5, when doing a crafted POST request on lmadmin using web-based tool.

If you do not distribute lmadmin to your customers, there is no further action on your part. If you do, you must distribute to those same customers the security update mentioned in the Resolution section of this article. The vulnerability will not impact lmadmin if started without integrated web server.

Symptoms

**** Only the following information is permitted to be distributed to users of products enabled with FlexNet Publisher:
-CVE number (if available)
-CWE ID
-CVSS scores
-Any publicly available information
****

Certain POST request to FlexNet Publisher provided lmadmin server is unable to parse the message payload. Such messages can cause lmadmin unstable. This vulnerability has been assigned the ID of CVE-2019-8963. The CVSSv3.1 base score for this vulnerability is 6.5.

Resolution

The lmadmin enhanced functionality has brought more robustness to the parser module. Parser module understands and discards crafted POST request as invalid. lmadmin web server responds with web page as URL incorrect for these types of requests.

FlexNet Publisher 2020 R2 (11.17.0) and later address the security vulnerability and is available on the Product and License Center. We advise all FlexNet Publisher customers update lmadmin binary to FlexNet Publisher 2020 R2 or later.

As good practice, we advise customers to expose lmadmin to only a trusted network. This will reduce the attack vector to only those attackers who have access to that trusted network.

Additional Information

For identifying this vulnerability and disclosing it to Revenera under a responsible disclosure process, we'd like to thank Samuel Dugo of Ryanair.

Related Documents

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8963