The Community is now in read-only mode to prepare for the launch of the new Revenera Community. During this time, you will be unable to register, log in, or access customer resources from Nov 22nd-Nov 25th. Click here for more information.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Security Advisory: Revenera's Product Assessment and Response to cURL Vulnerabilities CVE-2023-38545 and CVE-2023-38546

cvirata
Revenera Community Admin Revenera Community Admin
Revenera Community Admin
3 3 2,855

(Latest Update 2023-Nov-17 17:47 CDT)

The cURL 8.4.0 patch has been released and we're continuing to assess Revenera product impact and if any remediation work is required.

If you need to patch cURL on your own servers or environment, the patch files are available at https://curl.se/download.html.

Revenera Product Assessment

Product cURL present in Product Present in Product Version or Component Mitigation / Fixed Version Notes
Installation
InstallAnywhere No None NA  
InstallShield Yes 2023 R1 2023 R2 Updated impacted sub-module in latest release.

Download remediated versions from Product and License Center
 
Software Composition Analysis
Code Insight No None NA  
SBOM Insights No None NA  
 
Software Monetization
Cloud Licensing (CLS) No None NA  
Compliance Intelligence (RCI) No None NA  
FlexNet Embedded - License Server Manager (FLSM) No None NA  
FlexNet Embedded - Local License Server (LLS) No None NA  
FlexNet Embedded SDK Yes

C-XT: All versions

Non C-XT: Versions prior 2023.09

C-XT: FlexNet Embedded 2023.09.1

Non C-XT: FlexNet Embedded 2023.09

Download remediated versions from Product and License Center
FlexNet Operations - ALM No None NA  
FlexNet Operations - LLM No None NA  
FlexNet Operations On-Premise No None NA  
FlexNet Publisher No None NA  
Usage Intelligence (RUI) No None NA  

 

The information on this page reflects:

  • The assessed status of all versions of Revenera’s products that are still supported (that is, they have not yet reached their End of Life). Product lifecycle dates can be found at https://docs.revenera.com/eol/default.htm.

Related Information

Change Log

  • 2023-12-7 13:11 CDT: Published final product assessment.
  • 2023-10-10 13:03 CDT: Initial advisory posted.
  • 2023-10-11 18:07 CDT: Update regarding cURL 8.4.0 patch and ongoing product assessment.
  • 2023-10-12 11:13 CDT: Published initial product assessment.
  • 2023-10-18 13:38 CDT: Updated assessment for FlexNet Embedded LLS and Usage Intelligence products to not affected.
  • 2023-10-26 09:55 CDT: Updated assessment for FlexNet Operations Cloud ALM to not affected.
  • 2023-11-17 17:47 CDT: Updated product assessment for FlexNet Embedded. 

Initial Advisory (posted on Oct 10, 2023 11:03 AM)

We are aware of the recent cURL security vulnerabilities (CVE-2023-38545 and CVE-2023-38546) and are assessing which of our products may be impacted.

Once specific details regarding the impacted versions of cURL are released on October 11th, we will reconcile that with our analysis and provide further updates on any necessary remediation work. Please subscribe to this page to be notified of subsequent updates.

Thank you for your patience.

Tags (1)
(3) Comments
alexrybak
Revenera
Revenera

A few things to keep in mind:

  • As always, security patches tend to take a few attempts to fully resolve, so keep an eye our for subsequent patches as more exploit scenarios are uncovered and/or additional security issues are reported.
  • Also, even if you are not a software supplier, don’t forget to check your servers as you likely have cURL installed on them in your data center. Make sure you upgrade all instances to the appropriate "latest" version as patches are released.
  • Finally, do not forget to check derivative projects that were base on or ported from cURL for impact... i.e., pycurl, python-pycurl, and others.
clementlee
Level 2

Does FlexNet Publisher (FNP Client and Server) use cURL?

cvirata
Revenera Community Admin Revenera Community Admin
Revenera Community Admin

@clementlee - Our product teams are actively assessing potential exposure to the cURL vulnerabilities and are preparing an update for those that have completed their assessment so far. 

For now, I've confirmed with the FlexNet Publisher team that FlexNet Publisher does not package or use cURL in either the client or server.