Security Advisory: Revenera's Product Assessment and Response to cURL Vulnerabilities CVE-2023-38545 and CVE-2023-38546

cvirata · ‎Oct 10, 2023

(Latest Update 2023-Nov-17 17:47 CDT)

The cURL 8.4.0 patch has been released and we're continuing to assess Revenera product impact and if any remediation work is required.

CVE-2023-38545 (Severity HIGH): This defect allows potential heap based buffer overflow in the SOCKS5 proxy handshake. This issues affects libcurl versions 7.69.0 to and including 8.3.0.
CVE-2023-38546 (Severity: LOW): If certain conditions are in effect, this defect may allow a cookie injection attack on a running program using libcurl. This defect affects libcurl versions 7.9.1 to and including 8.3.0.

If you need to patch cURL on your own servers or environment, the patch files are available at https://curl.se/download.html.

Revenera Product Assessment

Product	cURL present in Product	Present in Product Version or Component	Mitigation / Fixed Version	Notes
Installation
InstallAnywhere	No	None	NA
InstallShield	Yes	2023 R1	2023 R2	Updated impacted sub-module in latest release. Download remediated versions from Product and License Center

Software Composition Analysis
Code Insight	No	None	NA
SBOM Insights	No	None	NA

Software Monetization
Cloud Licensing (CLS)	No	None	NA
Compliance Intelligence (RCI)	No	None	NA
FlexNet Embedded - License Server Manager (FLSM)	No	None	NA
FlexNet Embedded - Local License Server (LLS)	No	None	NA
FlexNet Embedded SDK	Yes	C-XT: All versions Non C-XT: Versions prior 2023.09	C-XT: FlexNet Embedded 2023.09.1 Non C-XT: FlexNet Embedded 2023.09	Download remediated versions from Product and License Center
FlexNet Operations - ALM	No	None	NA
FlexNet Operations - LLM	No	None	NA
FlexNet Operations On-Premise	No	None	NA
FlexNet Publisher	No	None	NA
Usage Intelligence (RUI)	No	None	NA

The information on this page reflects:

The assessed status of all versions of Revenera’s products that are still supported (that is, they have not yet reached their End of Life). Product lifecycle dates can be found at https://docs.revenera.com/eol/default.htm.

Related Information

Change Log

2023-12-7 13:11 CDT: Published final product assessment.
2023-10-10 13:03 CDT: Initial advisory posted.
2023-10-11 18:07 CDT: Update regarding cURL 8.4.0 patch and ongoing product assessment.
2023-10-12 11:13 CDT: Published initial product assessment.
2023-10-18 13:38 CDT: Updated assessment for FlexNet Embedded LLS and Usage Intelligence products to not affected.
2023-10-26 09:55 CDT: Updated assessment for FlexNet Operations Cloud ALM to not affected.
2023-11-17 17:47 CDT: Updated product assessment for FlexNet Embedded.

Initial Advisory (posted on Oct 10, 2023 11:03 AM)

We are aware of the recent cURL security vulnerabilities (CVE-2023-38545 and CVE-2023-38546) and are assessing which of our products may be impacted.

Once specific details regarding the impacted versions of cURL are released on October 11th, we will reconcile that with our analysis and provide further updates on any necessary remediation work. Please subscribe to this page to be notified of subsequent updates.

Thank you for your patience.