The Community is now in read-only mode to prepare for the launch of the new Flexera Community. During this time, you will be unable to register, log in, or access customer resources. Click here for more information.
A potential vulnerability exists in FlexNet inventory agent and inventory beacon versions 2022 R2.3 Part Number: 19.3.0 and earlier installations on Unix-like platforms devices running Docker daemon containers. The vulnerability may potentially allow a privilege escalation.
To address the potential vulnerability, Flexera quickly established mitigations through the security update IOK-1085727 for the FlexNet inventory agent and inventory beacon version 2022 R2.4 Part Number: 19.4.0.
Publicly disclosed? No.
Exploited? No known exploits.
For security reasons, beyond the described vector and impact, Flexera will not publish further details regarding the cause of this potential vulnerability.
The potential vulnerability has been rated with a CVSS (Common Vulnerability Scoring System) version 3.1 base score of 7.8.
Please be aware that the CVSS version 3.1 and its automatic calculation of the CVSS scoring based on the CVSS metrics are known to have scaling issues such that potential vulnerabilities frequently end up in the higher-scoring brackets.
Flexera’s internal vulnerability analysis and assessment team “Secunia Research” assigned a criticality rating of “Less Critical”, which is the second-lowest “Secunia Research” criticality rating on a scale of 5 criticality ratings (from “Not Critical” through “Extremely Critical”).
For security reasons, Flexera will not publish the steps to reproduce this security vulnerability.
Flexera has released an update to address a security vulnerability in the FlexNet inventory agent and inventory beacon remote inventory for Unix-like platforms. The updated versions, 2022 R2.4 Part Number: 19.4.0, resolve the vulnerability as detailed in the security update IOK-1085727. Flexera recommends upgrading FlexNet inventory agent and inventory beacon versions 2022 R2.3 Part Number: 19.3.0 and earlier to version 2022 R2.4 Part Number: 19.4.0 or later.
This vulnerability can be mitigated by including the following folder in the list of excluded file evidence folders for Linux/UNIX operating systems.
For reference, here is the user interface to configure file path exclusions on the Inventory Settings page.
Please download the updated FlexNet inventory agent and inventory beacon version 2023 R1 or later available through the Product and License Center (Flexera Community > More > Product and License Center). Flexera recommends upgrading to the latest version of the FlexNet inventory agent and inventory beacon version or FlexNet Manager Suite.
Note: The FlexNet inventory agent and inventory beacon update packages are designed to be compatible with the operating systems and architecture versions supported by the FlexNet Manager Suite supported version that is currently in use.
You may also need to update the properties of each inventory beacon (Discovery & Inventory > Network > Beacons, click through to open the properties of an inventory beacon, and in the General tab, set Upgrade mode). Your connected inventory beacons then automatically upgrade after their next policy update.
If you have Beacon version approved for use set to "Always use the latest version", the security patch will have been applied automatically to your connected inventory beacons (those that download policy and upload inventory automatically), however Flexera always recommends that you confirm that beacons are updating as expected. If you have any disconnected inventory beacons, use your normal method to upgrade those to version 19.4.0 or later.
If you have the approved beacon version set to anything earlier than 19.4.0, you should change this setting to version 19.4.0 or later.
If you want to deploy the inventory agent and inventory beacon using the FlexNet Manager Suite supported version earlier than 2023 R1, you can set the inventory agent upgrade by following the instructions in the upgrade guide.
Note: This FlexNet inventory agent security update is for the FlexNet inventory agent for the Unix-like platforms. Inventory agent and inventory beacon version 19.4.0 and later are compatible with earlier supported versions of FlexNet Manager Suite. FlexNet inventory agent and beacon versions earlier than version 19.4.0 have been deprecated.
Flexera One ITAM and FNMS do not support automatic upgrading of the Flexera inventory agent for Debian Linux.
Your action depends on your current settings in Discovery & Inventory > Settings
Note. All the previous supported releases of the inventory agent and inventory beacon have been deprecated in the Flexera One IT Asset Manager and IT Visibility for cloud customers, including inventory agent for non-windows supported operating systems, we recommend our customers to use the latest available release of inventory agent and inventory beacon for future deployments and upgrades.
Flexera One ITAM and FNMS do not support automatic upgrading of the Flexera inventory agent for Debian Linux.
If you decide to upgrade an inventory beacon manually, please disable the inventory beacon auto-upgrade through the beacon properties before upgrading manually. If you don't modify the settings for automatic upgrades, the next update of the beacon policy reverts the inventory beacon back to the previous setting.
FlexNet inventory agent for Unix-like platforms and inventory beacon update IOK-1085727 need to be deployed on the web application server and inventory server. In the case of a single server implementation of FlexNet Manager Suite, the update only needs to be run once. In the case of a multi-box implementation (where the web application server and the inventory server are separate servers), the update needs to be run on both the web application server and the inventory server.
Credit for identifying this issue goes to Patrick Romero of CrowdStrike.
FlexNet inventory agent and inventory beacon versions prior to 19.4.0 for Unix-like platforms used by Flexera One IT Asset Management, IT Visibility, and FlexNet Manager Suite for On-Prem customers.
Regardless of the limited vector the potential vulnerability provides, Flexera would like to take the opportunity to remind customers, that basic security best practices in conjunction with the FlexNet inventory agent and inventory beacon installation and use should be followed.
Dec 01, 2023 03:07 AM - edited Dec 17, 2023 07:46 PM
Good question @mschwach,
In the scenario you have described, yes inventory agent version 19.0.0 needs to be upgraded to the latest version in use. I would also suggest applying the suggested workaround above that will be instant, followed by an inventory agent upgrade as that may take a bit more planning and execution.
Hope this will help.
Aamer
will exclusion of /var/lib/ cause any significant impact in evidence reporting or application inventory process for Linux\Unix systems ?
No, it should not, as /var/lib/ path is not used for application installation.
Where do we get 19.4.0 from as it is not available in downloads
More information about the vulnerability: https://www.crowdstrike.com/blog/crowdstrike-discovers-vulnerability-in-flexnet-inventory-agent/
I believe this KB should be updated with:
Publicly disclosed? Yes.