Title

FlexNet Publisher lmadmin: Denial of Service Vulnerability Discovered

Summary

A denial of service vulnerability was discovered in the lmadmin component of FlexNet Publisher

Symptoms

**** Only the following information is permitted to be distributed to users of products enabled with FlexNet Publisher:
- CVE number (if available)
- CWE ID
- CVSS scores
- The text in the Workaround section
- Any publicly-available information
****
Specific user input can cause lmadmin to crash. Repeatedly specifying that same user input each time lmadmin restarts can extend the denial of service.

This vulnerability exists on all platforms in all supported versions of FlexNet Publisher lmadmin.

Depending upon the license models you offer to your customers, you may or may not distribute lmadmin. If you don?t distribute lmadmin, there is no further action on your part. If you do, you should distribute lmadmin from the version of FlexNet Publisher mentioned in the Resolution section of this article when it is available.

This vulnerability has been assigned the ID of CVE-2016-6273.

The CVSSv3 base score for this vulnerability is 6.5; that is, medium severity.

Cause

For the cause of this vulnerability, see the Description section of CWE-248 (Uncaught Exception).

Steps To Reproduce

For security reasons, Flexera Software will not publish the steps to reproduce this vulnerability.

Resolution

This vulnerability is scheduled to be remediated in the following FlexNet Publisher versions:

FlexNet Publisher 2015 Service Pack 5
FlexNet Publisher 2016 R1 Service Pack 1
FlexNet Publisher 2016 R2

Workaround

This vulnerability can be mitigated by your customers using lmgrd instead of lmadmin until the vulnerability is remediated in lmadmin.

If your customers must still use lmadmin? Under only highly-specialized environments would any of your customers expose lmadmin to the internet. Advise those customers to expose lmadmin to only a trusted network until lmadmin remediates the vulnerability. This will reduce the attack vector to only those attackers who have access to that trusted network. Exposing lmadmin to the internet raises the CVSSv3 base score of this vulnerability to 7.5; that is, high severity.

Additional Information

A testing company discovered this vulnerability as part of their research. To our knowledge, only that testing company knew of the vulnerability at the time they discovered it.

This vulnerability was not detected by the static or dynamic vulnerability testing tools used by Flexera Software.

Flexera Software knows of no exploits of this vulnerability in production deployments.

If you have any questions please contact Flexera Technical Support .

Related Documents

Was this helpful?

Support Hub

Product

FlexNet Publisher

Visibility

Guest

URL Name

flexnet-publisher-lmadmin-denial-of-service-vulnerability-discovered

Are you sure you want to cancel the case creation?

Case closed successfully

Action performed successfully

Upload Attachment

Maximum file size allowed is 3 MB.

File type not supported.

Supported file types:

Documents (.txt, .doc, .docx, .pdf), Images (.jpg, .png), Comma Separated Files (.csv) Speadsheets (.xlsx, .xls)

Are you sure you want to close this case

Get Hotline support

Products	Region	Phone Numbers
FlexNet Operations FlexNet Embedded FlexNet Publisher FlexNet Connect FlexNet Code Insight InstallAnywhere InstallShield	North America *	+1 630-332-2513 (toll) +1 877-279-2853 (toll-free in North America)
	Europe *	+44 1925 944367 (toll) +44 800 047 8642 (toll-free in Europe)
	Japan *	+81 3-4540-5335 (select option 2)
	Australia *	+61 3 9895 2177 +61 1800 560 603 (toll-free in Australia)
Usage Intelligence (formerly Revulytics) Compliance Intelligence	Please use the Case Portal to submit your support ticket or reach out to your Revenera contact.