This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
The Community is now in read-only mode to prepare for the launch of the new Flexera Community. During this time, you will be unable to register, log in, or access customer resources. Click here for more information.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Flexera Community
- :
- FlexNet Manager
- :
- FlexNet Manager Knowledge Base
- :
- FlexNet Beacon vulnerability remediated in FlexNet Manager Suite
Subscribe
- Mark as New
- Mark as Read
- Subscribe
- Printer Friendly Page
Subscribe
- Article History
- Mark as New
- Mark as Read
- Subscribe
- Printer Friendly Page
Summary
A cumulative update is available to remediate a vulnerability in the FlexNet BeaconSymptoms
A vulnerability exists on the FlexNet Beacon shipped with on-premises releases of FlexNet Manager Suite from 2014 up to and including 2016 R1 SP1.To understand the potential consequences of this vulnerability, please refer to:
Common Consequences section of CWE-22 (Common Weakness Enumeration). The CVSS base score for this vulnerability is 10
The published hotfix for this issue also includes an additional fix. Please refer to:
Common Consequences section of CWE-79 (Common Weakness Enumeration). The CVSS base score for this vulnerability is 8.3
FlexNet Manager Suite Cloud was updated on 25 January 2017 for both issues.
Cause
For the cause of these vulnerabilites, see the description sections of:Description section of CWE-22
Description section of CWE-79
Resolution
As of February 2nd, 2017, the following security updates are available from Flexera Software?s Product and License Center
- FlexNet Manager Suite 2016 R1 SP1: FlexNet Manager Suite Hotfix 2016R1SP1-03
- FlexNet Manager Suite 2016 R1: FlexNet Manager Suite Hotfix 2016R1-01
- FlexNet Manager Suite 2015 R2 SP5: FlexNet Manager Suite Hotfix 2015R2SP5-03
- FlexNet Manager Suite 2015 R2 SP4: FlexNet Manager Suite Hotfix 2015R2SP4-01
- FlexNet Manager Suite 2015 R2 SP3: FlexNet Manager Suite Hotfix 2015R2SP3-02
- FlexNet Manager Suite 2015 R2 SP2: FlexNet Manager Suite Hotfix 2015R2SP2-01
- FlexNet Manager Suite 2015 R2 SP1: FlexNet Manager Suite Hotfix 2015R2SP1-04
- FlexNet Manager Suite 2015 R2: FlexNet Manager Suite Hotfix 2015R2-01
- FlexNet Manager Suite 2015: FlexNet Manager Suite Hotfix 2015-01
- FlexNet Manager Suite 2014 R3: FlexNet Manager Suite Hotfix 2014R3-02
- FlexNet Manager Suite 2014 R2: FlexNet Manager Suite Hotfix 2014R2-01
When applying the patch that applies to your installed release of FlexNet Manager Suite, updates will be applied to the inventory beacon and FlexNet Manager Suite servers.
Note that only the latest available Beacon software will be updated, so ensure that only the latest Beacon version, listed in the 'Version to deploy' drop-down box, is used when deploying an inventory beacon.
It is strongly recommended that all inventory beacons are updated to ensure they are running the latest FlexNet Beacon version. This may require updating the Beacon policy, on the Configure a Beacon page, to all Beacons so that the Upgrade mode setting = 'Always use the approved version'.
All inventory beacons are required to be upgraded to apply the update. To ensure that all inventory beacons have been upgraded, please refer to the status values of the Connectivity status and Policy Status columns on the Beacons page.
Note that only the latest available Beacon software will be updated, so ensure that only the latest Beacon version, listed in the 'Version to deploy' drop-down box, is used when deploying an inventory beacon.
It is strongly recommended that all inventory beacons are updated to ensure they are running the latest FlexNet Beacon version. This may require updating the Beacon policy, on the Configure a Beacon page, to all Beacons so that the Upgrade mode setting = 'Always use the approved version'.
All inventory beacons are required to be upgraded to apply the update. To ensure that all inventory beacons have been upgraded, please refer to the status values of the Connectivity status and Policy Status columns on the Beacons page.
Workaround
CWE-22: Whilst only a specially-crafted upload could overwrite files on a target inventory beacon, the only effective workaround is to disable inventory beacon(s) by setting the Web Server Settings to ?No local web server (will not allow any incoming web requests)? in the FlexNet Beacon UI, as well as "BeaconSvc" IIS endpoint on the FNMS server. Performing these steps will also stop the inventory beacon(s) from receiving any updates. As this will also prevent application of any patch, it is not recommended.Related Documents
https://cwe.mitre.org/data/definitions/22.htmlhttps://cwe.mitre.org/data/definitions/79.html
Additional Information
Acknowledgement: Thank you to Christopher Ebneter (ctof@live.com) for identifying and documenting vulnerability CWE-22.Jan 28, 2019 07:31 PM
Labels:
No ratings
