- Revenera Community
- :
- FlexNet Publisher
- :
- FlexNet Publisher Knowledge Base
- :
- Remote Code Execution vulnerability remediated in lmadmin
- Mark as New
- Mark as Read
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Remote Code Execution vulnerability remediated in lmadmin
Remote Code Execution vulnerability remediated in lmadmin
Summary
A remote code execution (RCE) vulnerability was identified in the FlexNet Publisher lmadmin web user interface. This vulnerability is addressed in the FlexNet Publisher 2023 R2 (11.19.4.0) release.
Symptoms
If exploited, the vulnerability allows the execution of a rogue vendor daemon using the UNC path.
NOTE: This vulnerability does not impact the lmgrd utility.
Steps to Reproduce
For security reasons, we will not publish details for reproducing the vulnerability.
Workaround
We advise users to upgrade their lmadmin to 11.19.4.0 or greater. If users are unable to upgrade, license server administrators may start lmadmin with the -noweb option to disable the lmadmin web module. This prevents lmadmin from being accessed through a web browser and it will only be accessible via the console.
Fix Version and Resolution
The vulnerability is addressed in FlexNet Publisher 2023 R2 (11.19.4.0) which was released on May 17, 2023. Users are advised to upgrade their lmadmin to 11.19.4.0 or greater. License server administrators may download the latest lmadmin from the FlexNet Publisher lmadmin download links page.
Additional Information
For identifying this vulnerability and disclosing it to Revenera under a responsible disclosure process, we'd like to thank and credit Mattias Dewulf, co-founder of Spinae.