Showing results for 
Show  only  | Search instead for 
Did you mean: 

CVE-2018-20033 remediated in FlexNet Publisher

CVE-2018-20033 remediated in FlexNet Publisher


CVE-2018-20033 has been discovered and remediated in FlexNet Publisher


****Only the following information is permitted to be distributed outside of Flexera Software and customers of FlexNet Publisher:
        - CVE number
        - CWE ID
        - CVSS scores
        - Reference to any publicly-available information

A Remote Code Execution (RCE) vulnerability exists on all platforms in versions or earlier of the following FlexNet Publisher components:

  • lmgrd executable, provided by Flexera Software
  • vendor daemon executable, built by each FlexNet Publisher customer from object code provided by Flexera

Depending upon the license model(s) you offer to your customers, you may or may not distribute one or both of these components to one or more of your customers. If you don’t distribute either of these components, there is no further action on your part. If you do, you must distribute to those same customers the security update mentioned in the Resolution section of this article.

This security vulnerability has been assigned the CVE ID number of CVE-2018-20033.

The vulnerability could allow a remote attacker to corrupt the memory by allocating / de-allocating memory, loading lmgrd or the vendor daemon, and causing the heartbeat between lmgrd and the vendor daemon to stop. This would force the vendor daemon to shut down.

No exploit of this vulnerability has been demonstrated.


For security reasons, Flexera will not publish the cause of this security vulnerability.

Steps To Reproduce

For security reasons, Flexera Software will not publish the steps to reproduce this security vulnerability.


The FlexNet Publisher 11.16.2 addresses the security vulnerability and is available from Flexera’s Product and License Center:
  • FlexNet Publisher 2018 R4
We advise all FlexNet Publisher customers update lmgrd to FlexNet Publisher 11.16.2, and the vendor daemon as soon as possible after that. Please note that lmadmin or clients are not affected.
As a reminder, Flexera no longer distributes the lmgrd executables to end customers; your end customers can only receive the lmgrd executable from you.


No workaround available.

Additional Information

Please be aware that network access to the FlexNet Publisher License Server would be necessary to perform any attack. Protecting the license server from unauthorized access is essential to minimize the opportunities for any of the vulnerabilities to be exploited. Customers are also strongly advised to follow best practice in protecting the license server from unauthorized access.

Related Documents

Tags (1)
Was this article helpful? Yes No
No ratings
Version history
Last update:
‎Apr 04, 2019 07:30 PM
Updated by: