Overview
Flexera Software FlexNet Publisher, including all versions prior to 11.13.1.2, lmgrd and custom vendor daemon servers contain a buffer overflow vulnerability that may be leveraged to gain code execution.
Description
Flexera Software FlexNet Publisher is a software license manager that provides licensing models and solutions for software vendors. A buffer overflow vulnerability in a string copying function of lmgrd and custom vendor daemon servers may enable a remote attacker to execute arbitrary code in affected server hosts. For more information, refer to the researchers' blog post and advisory. |
Impact
A remote, unauthenticated attacker may be able to execute arbitrary code in affected server hosts. |
Solution
Apply an update |
Vendor Information
Note that any vendor that distributes lmgrd or a customized version with their products may be affected. As the CERT/CC becomes aware of specific vendors and products, we will add them to the list below. |
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C |
| Temporal | 7.8 | E:POC/RL:OF/RC:C |
| Environmental | 5.9 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
References
Acknowledgements
Thanks to Matthew Benton, Ryan Wincey, and Richard Kelley for reporting this vulnerability.
This document was written by Joel Land.
Other Information
| CVE IDs: | CVE-2015-8277 |
| Date Public: | 2016-02-22 |
| Date First Published: | 2016-02-22 |
| Date Last Updated: | 2016-04-04 16:30 UTC |
| Document Revision: | 27 |