- Revenera Community
- :
- FlexNet Publisher
- :
- FlexNet Publisher Knowledge Base
- :
- CVE-2019-8963 Remediated in FlexNet Publisher
- Mark as New
- Mark as Read
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
CVE-2019-8963 Remediated in FlexNet Publisher
CVE-2019-8963 Remediated in FlexNet Publisher
Summary
A Denial of Service vulnerability was discovered in FlexNet Publisher's lmadmin 11.16.5, when doing a crafted POST request on lmadmin using web-based tool.
If you do not distribute lmadmin to your customers, there is no further action on your part. If you do, you must distribute to those same customers the security update mentioned in the Resolution section of this article. The vulnerability will not impact lmadmin if started without integrated web server.
Symptoms
**** Only the following information is permitted to be distributed to users of products enabled with FlexNet Publisher:
-CVE number (if available)
-CWE ID
-CVSS scores
-Any publicly available information
****
Certain POST request to FlexNet Publisher provided lmadmin server is unable to parse the message payload. Such messages can cause lmadmin unstable. This vulnerability has been assigned the ID of CVE-2019-8963. The CVSSv3.1 base score for this vulnerability is 6.5.
Resolution
The lmadmin enhanced functionality has brought more robustness to the parser module. Parser module understands and discards crafted POST request as invalid. lmadmin web server responds with web page as URL incorrect for these types of requests.
FlexNet Publisher 2020 R2 (11.17.0) and later address the security vulnerability and is available on the Product and License Center. We advise all FlexNet Publisher customers update lmadmin binary to FlexNet Publisher 2020 R2 or later.
As good practice, we advise customers to expose lmadmin to only a trusted network. This will reduce the attack vector to only those attackers who have access to that trusted network.
Additional Information
For identifying this vulnerability and disclosing it to Revenera under a responsible disclosure process, we'd like to thank Samuel Dugo of Ryanair.
Related Documents
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8963
- Mark as Read
- Mark as New
- Permalink
- Report Inappropriate Content
Is this vulnerability CVE-2019-8963 related or the same as CVE-2020-12080?
https://nvd.nist.gov/vuln/detail/CVE-2020-12080
Thanks!