Summary

A remote code execution (RCE) vulnerability was identified in the FlexNet Publisher lmadmin web user interface. This vulnerability is addressed in the FlexNet Publisher 2023 R2 (11.19.4.0) release.

Symptoms

If exploited, the vulnerability allows the execution of a rogue vendor daemon using the UNC path.

NOTE: This vulnerability does not impact the lmgrd utility.

Steps to Reproduce

For security reasons, we will not publish details for reproducing the vulnerability.

Workaround

We advise users to upgrade their lmadmin to 11.19.4.0 or greater. If users are unable to upgrade, license server administrators may start lmadmin with the -noweb option to disable the lmadmin web module. This prevents lmadmin from being accessed through a web browser and it will only be accessible via the console.

Fix Version and Resolution

The vulnerability is addressed in FlexNet Publisher 2023 R2 (11.19.4.0) which was released on May 17, 2023. Users are advised to upgrade their lmadmin to 11.19.4.0 or greater. License server administrators may download the latest lmadmin from the FlexNet Publisher lmadmin download links page.

Additional Information

For identifying this vulnerability and disclosing it to Revenera under a responsible disclosure process, we would like to thank and credit Mattias Dewulf, co-founder of Spinae.