Some users may be experiencing issues when trying to access customer resources like the Case Portal or the Product Licensing Center. Our team is aware of the issue and is working to resolve it. Click here for more information.
A potential vulnerability exists in FlexNet inventory agent and inventory beacon versions 2020 R2.5 and earlier installations on Microsoft Windows. The vulnerability can potentially allow locally authenticated users to modify otherwise restricted files. The gain of further local privileges has not been reported. However, out of an abundance of caution, Flexera will not rule this out.
To address the potential vulnerability, Flexera quickly established mitigations through the security update IOJ-2210678 for the FlexNet inventory agent and inventory beacon version 2021 R1 release.
Publicly disclosed? No
Exploited? No known exploits
For security reasons, beyond the described vector and impact, Flexera will not publish further details regarding the cause of this potential vulnerability.
The potential vulnerability has been rated with a CVSS (Common Vulnerability Scoring System) version 3.1 base score of 7.8.
Please be aware that the CVSS version 3.1 and its automatic calculation of the CVSS scoring based on the CVSS metrics are known to have scaling issues such that potential vulnerabilities frequently end up in the higher-scoring brackets.
Flexera’s internal vulnerability analysis and assessment team “Secunia Research” assigned a criticality rating of “Less Critical”, which is the second-lowest “Secunia Research” criticality rating on a scale of 5 criticality ratings (from “Not Critical” through “Extremely Critical”)
For security reasons, Flexera will not publish the steps to reproduce this security vulnerability.
Flexera has updated the Windows FlexNet inventory agent and inventory beacon for 2021 R1, resolving this vulnerability as detailed in security update IOJ-2210678. Flexera recommends upgrading FlexNet inventory agent and inventory beacon versions 2020 R2.5 and earlier to version 2021 R1 or later.
Please download the updated FlexNet inventory agent and inventory beacon version 2021 R1 available through the Product and License Center (Flexera Community > More > Product and License Center). Updates are available for inventory beacon versions 2018 R1 and later, as shown in the following table. (For FlexNet Manager Suite versions older than 2018 R1, Flexera recommends upgrading to the latest version of FlexNet Manager Suite.)
Note: The FlexNet inventory agent and inventory beacon update packages are backward compatible with earlier versions, as shown in the table below, and can be used for these upgrades.
You may also need to update the properties of each inventory beacon (Discovery & Inventory > Network > Beacons, click through to open the properties of an inventory beacon, and in the General tab, set Upgrade mode). Your connected inventory beacons then automatically upgrade after their next policy update.
If you have Beacon version approved for use set to "Always use the latest version", the security patch is already applied automatically to your connected inventory beacons (those that download policy and upload inventory automatically). If you have any disconnected inventory beacons, use your normal method to upgrade those to version 17.0.1 or later.
If you have the approved beacon version set to anything earlier than 17.0.1, you should change this setting to version 17.0.1 or later.
If you are using FlexNet Manager Suite 2018 R1 OR 2018 R2 for FlexNet inventory agent upgrade, you can set the inventory agent upgrade by following the instruction in the upgrade guide
.\ConfigureSystem.exe select-agent-upgrade --version versionString
Note: This FlexNet inventory agent security update is for FlexNet inventory agent for the Windows platform. The update contains FlexNet inventory agent for other platforms to provide a consistent inventory agent version in your environment.
FlexNet Inventory agent and beacon versions |
Compatible FlexNet inventory agent and beacon version |
FlexNet inventory agent and beacon upgrade file in PLC |
FlexNet Inventory agent and beacon 2018 R1 |
FNMS 2021 R1 inventory agent & beacon with security update |
FNMS 2021 R1 Agent & Beacon Upgrade 17.0.1.zip |
FlexNet Inventory agent and beacon 2018 R2 |
FNMS 2021 R1 inventory agent & beacon with security update |
FNMS 2021 R1 Agent & Beacon Upgrade 17.0.1.zip |
FlexNet Inventory agent and beacon 2019 R1 |
FNMS 2021 R1 inventory agent & beacon with security update |
FNMS 2021 R1 Agent & Beacon Upgrade 17.0.1.zip |
FlexNet Inventory agent and beacon 2019 R2 |
FNMS 2021 R1 inventory agent & beacon with security update |
FNMS 2021 R1 Agent & Beacon Upgrade 17.0.1.zip |
FlexNet Inventory agent and beacon 2020 R1 |
FNMS 2021 R1 inventory agent & beacon with security update |
FNMS 2021 R1 Agent & Beacon Upgrade 17.0.1.zip |
FlexNet Inventory agent and beacon 2020 R2 |
FNMS 2021 R1 inventory agent & beacon with security update |
FNMS 2021 R1 Agent & Beacon Upgrade 17.0.1.zip |
Your action depends on your current settings in Discovery & Inventory > Settings
Note. All the previous releases of the inventory agent and inventory beacon have been deprecated in FlexNet Manager Suite for cloud customers, including inventory agent for non-windows supported operating systems, we recommend our customers to use the latest available release of inventory agent and inventory beacon for future deployments and upgrades.
If you decided to upgrade an inventory beacon manually, please disable the inventory beacon auto-upgrade through the beacon properties before upgrading manually. If you don't modify the settings for automatic upgrades, the next update of beacon policy reverts the inventory beacon back to the previous setting.
FlexNet inventory agent and inventory beacon update IOJ-2210678 need to be deployed on the web application server and inventory server. In the case of a single server implementation of FlexNet Manager Suite, the update only needs to be run once. In the case of a multi-box implementation (where the web application server and the inventory server are separate servers), the update needs to be run on both the web application server and the inventory server. For detailed instructions, please follow the readme.txt file shipped with the update.
A Flexera customer identified the potential vulnerability.
FlexNet Manager Suite On-Premises, Multi-tenant (including Cloud) installations on Microsoft Windows FlexNet inventory agent and inventory beacon version 2020 R2.5 and earlier.
Regardless of the limited vector the potential vulnerability provides, Flexera would like to take the opportunity to remind customers, that basic security best practices in conjunction with the FlexNet inventory agent and inventory beacon installation and use should be followed.
Aug 25, 2021 02:46 AM - edited Sep 20, 2021 08:41 PM