Revenera Company News

(Latest Update 2023-Nov-17 17:47 CDT) The cURL 8.4.0 patch has been released and we're continuing to assess Revenera product impact and if any remediation work is required. CVE-2023-38545 (Severity HIGH): This defect allows potential heap based buffer overflow in the SOCKS5 proxy handshake. This issues affects libcurl versions 7.69.0 to and including 8.3.0. CVE-2023-38546 (Severity: LOW): If certain conditions are in effect, this defect may allow a cookie injection attack on a running program using libcurl. This defect affects libcurl versions 7.9.1 to and including 8.3.0.  If you need to patch cURL on your own servers or environment, the patch files are available at https://curl.se/download.html.   NOTE: This is an ongoing assessment. Updates will be made to this advisory as further information becomes available. Revenera Product Assessment Product cURL present in Product Present in Product Version or Component Mitigation / Fixed Version Notes Installation InstallAnywhere No None NA   InstallShield Assessment in progress         Software Composition Analysis Code Insight No None NA   SBOM Insights No None NA     Software Monetization Cloud Licensing (CLS) No None NA   Compliance Intelligence (RCI) No None NA   FlexNet Embedded - License Server Manager (FLSM) No None NA   FlexNet Embedded - Local License Server (LLS) No None NA   FlexNet Embedded SDK Yes C-XT: All versions Non C-XT: Versions prior 2023.09 C-XT: FlexNet Embedded 2023.09.1 Non C-XT: FlexNet Embedded 2023.09 Download remediated versions from Product and License Center FlexNet Operations - ALM No None NA   FlexNet Operations - LLM No None NA   FlexNet Operations On-Premise No None NA   FlexNet Publisher No None NA   Usage Intelligence (RUI) No None NA     The information on this page reflects: The assessed status of all versions of Revenera’s products that are still supported (that is, they have not yet reached their End of Life). Product lifecycle dates can be found at https://docs.revenera.com/eol/default.htm. Related Information GitHub Announcement of cURL Vulnerabilities https://curl.se/docs/CVE-2023-38545.html https://curl.se/docs/CVE-2023-38546.html Change Log 2023-10-10 13:03 CDT: Initial advisory posted 2023-10-11 18:07 CDT: Update regarding cURL 8.4.0 patch and ongoing product assessment 2023-10-12 11:13 CDT: Published initial product assessment. 2023-10-18 13:38 CDT: Updated assessment for FlexNet Embedded LLS and Usage Intelligence products to not affected. 2023-10-26 09:55 CDT: Updated assessment for FlexNet Operations Cloud ALM to not affected. 2023-11-17 17:47 CDT: Updated product assessment for FlexNet Embedded.  Initial Advisory (posted on Oct 10, 2023 11:03 AM) We are aware of the recent cURL security vulnerabilities (CVE-2023-38545 and CVE-2023-38546) and are assessing which of our products may be impacted. Once specific details regarding the impacted versions of cURL are released on October 11th, we will reconcile that with our analysis and provide further updates on any necessary remediation work. Please subscribe to this page to be notified of subsequent updates. Thank you for your patience.