This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

A new Flexera Community experience is coming on November 25th. Click here for more information.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

FlexNet Inventory Agent and Inventory Beacon Vulnerability Update IOK-1085727

A potential vulnerability exists in FlexNet inventory agent and inventory beacon versions 2022 R2.3 Part Number: 19.3.0 and earlier installations on Unix-like platforms devices running Docker daemon containers. The vulnerability may potentially allow a privilege escalation.

To address the potential vulnerability, the security update IOK-1085727 for the FlexNet inventory agent and inventory beacon version 2022 R2.4 Part Number: 19.4.0 were released.

Applies to

FlexNet inventory agent and inventory beacon versions prior to 19.4.0 for Unix-like platforms used by Flexera One IT Asset Management, IT Visibility, and FlexNet Manager Suite on-premises.

CVE Identifier

CVE-2023-29082

Exploitability Assessment

Publicly disclosed? No.

Exploited? No known exploits.

Rating

The potential vulnerability has been rated with a CVSS (Common Vulnerability Scoring System) version 3.1 base score of 7.8.

CVSS version 3.1 and its automatic scoring calculation based on the CVSS metrics are known to have scaling issues, such that potential vulnerabilities frequently end up in the higher-scoring brackets.

Flexera’s internal vulnerability analysis and assessment team, Secunia Research, assigned a criticality rating of “Less Critical”, which is the second lowest Secunia Research criticality rating on a scale of 5 criticality ratings (from “Not Critical” through “Extremely Critical”).

Resolution

Flexera has released an update to address the security vulnerability. We recommend upgrading the FlexNet inventory agent and inventory beacon versions 2022 R2.3 Part Number: 19.3.0 and earlier to version 2022 R2.4 Part Number: 19.4.0 or later.

Update FlexNet Manager Suite on-premises

Download the updated FlexNet inventory agent and inventory beacon version 2023 R1 or later, available through the Product and License Center. We recommend upgrading to the latest version of the FlexNet inventory agent and inventory beacon for FlexNet Manager Suite.

NOTE: The FlexNet inventory agent and inventory beacon update packages are designed to be compatible with the operating systems and architecture versions still supported. See the FlexNet Manager Suite Lifecycle Timeline to see which versions are supported. 

Where to deploy

FlexNet inventory agent for Unix-like platforms and inventory beacon update IOK-1085727 must be deployed on the web application server and inventory server.

  • If you’re using a single server implementation of FlexNet Manager Suite, the update only needs to be run once.
  • If you’re using a multi-box implementation, where the web application server and the inventory server are separate servers, the update needs to be run on both servers.

Single server implementation

  1. Web application server + inventory server combined (apply the update once).

Multi-server implementation 

  1. Web application server (apply update).
  2. Inventory server (apply update). 

Beacon upgrade settings

Your beacon upgrading steps depend on your current settings.

  • If you have Upgrade mode set to Always use the latest version, the security patch will have been applied automatically to your connected inventory beacons (those that download policy and upload inventory automatically). However, you should confirm that your beacons are updating as expected.
  • If you have any disconnected inventory beacons, use your normal method to upgrade those to version 19.4.0 or later. The latest version is recommended.
  • If you have the approved beacon version set to anything earlier than 19.4.0, change this setting to version 19.4.0 or later. The latest version is recommended.

To verify your beacon upgrade settings:

FlexNet Manager Suite

  1. Navigate to Discovery & Inventory > Network > Beacons. 
  2. For each beacon, select the pencil icon under Actions to open the Beacon Properties.
  3. In the General tab, view the Upgrade mode.

Flexera One

  1. Navigate to Data Collection > IT Assets Inventory Tasks > Beacons.
  2. For the desired inventory beacon, click its edit icon.
  3. In the Overview section of the General tab, view the Upgrade mode.

Inventory agent upgrade settings

FlexNet Manager Suite

  • If you’re using FlexNet Manager Suite for the auto-upgrade of FlexNet inventory agent, on the Inventory Settings page, you can set the Version to deploy to 20.1.0 and the Upgrade mode and Platform options to the mode and platform you’d like to upgrade to. For help with this, see Inventory Agent for Automatic Deployment.
  • If you want to deploy the inventory agent and beacon using the FlexNet Manager Suite-supported version earlier than 2023 R1, you can upgrade the inventory agent by following the instructions in the upgrade guide for FlexNet Manager Suite 2023 R2.

Flexera One

  • If you are using the Flexera One IT Asset Manager auto-upgrade feature to upgrade FlexNet inventory agent, you can set the Version to deploy to 21.0.0 and Upgrade mode and platform options to the mode and platform you like to upgrade to.

NOTE: The FlexNet inventory agent security update is for the FlexNet inventory agent for Unix-like platforms. Inventory agent and inventory beacon version 19.4.0 and later are compatible with earlier supported versions of FlexNet Manager Suite. FlexNet inventory agent and beacon versions earlier than version 19.4.0 have been deprecated. See the FlexNet Manager Suite Lifecycle Timeline to see which versions are supported. 

NOTE: Flexera One ITAM and FlexNet Manager Suite don’t support automatic upgrading of the Flexera inventory agent for Debian Linux.

Manual upgrade (FlexNet Manager Suite and Flexera One)

If you decide to upgrade an inventory beacon manually, disable the inventory beacon auto-upgrade through the beacon properties first. If you don't modify the settings for automatic upgrades, the next update of the beacon policy reverts the inventory beacon back to the previous setting.

Security best practices

Regardless of the limited vector the potential vulnerability provides, basic security best practices in conjunction with the FlexNet inventory agent and inventory beacon installation and use should be followed.

  • FlexNet inventory agent, inventory beacon, and FlexNet Manager Suite server communication should be secured using HTTPS.
  • Privileges to access Flexera products, their components, the systems they run on and utilized networks should be granted on a least (minimal) privilege basis.

Workaround

This vulnerability can be mitigated by including the following folder in the list of excluded file evidence folders for Linux/UNIX operating systems:

  • /var/lib/

To exclude the file evidence folder:

  1. Got to Inventory Settings
  2. Select the + button and enter /var/lib.

HollyM_0-1715366240179.png

  1. Select Save.

on ‎Dec 01, 2023 03:06 AM - edited on ‎May 10, 2024 02:03 PM by Community Manager Community Manager

Was this article helpful? Yes No
100% helpful (1/1)
Version history
Last update:
‎May 10, 2024 02:03 PM
Updated by:
Community Manager Community Manager