Security Bulletin
Summary
A possible security vulnerability has been reported in the FlexNet Publisher lmgrd license server manager as well as vendor daemons. There have been no reported exploits of this possible vulnerability, and to date it has not been reported by FlexNetSoftware users.
Vulnerability Details
Subscribe to My Notifications to be notified of important product support alerts like this.
|
CVE ID: CVE-2011-1389
Description: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of FlexNet Publisher license server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the license server manager which listens on TCP port 27000. There are multiple problems that allow an attacker to influence the saving and loading of log files on the server. By utilizing a directory traversal issue and some file renaming bugs, an attacker can leverage this vulnerability to execute arbitrary code under the user context running the license server manager/vendor daemon.
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/71739 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
Affected Products and Versions
This vulnerability impacts the following license server:
- IBM Rational License Key Server (RLKS) 8.1.3
- IBM Rational License Key Server 8.1.2
- IBM Rational License Key Server 8.1.1
- IBM Rational License Key Server 8.0
- Rational License Server v7.x
- Telelogic License Server 2.0
The list of platforms affected by this vulnerability is as follows.
- AIX 5.1
- AIX 5.2.*
- AIX 5.3.*
- AIX 6.1.*
- AIX 7.1.*
- HP-UX 11.0 PA-RISC
- HP-UX 11i v1 PA-RISC
- HP-UX 11i v2 IA64
- HP-UX 11i v2 PA-RISC
- Red Hat Enterprise Linux 3
- Red Hat Enterprise Linux 4
- Red Hat Enterprise Linux 5
- Red Hat Enterprise Linux 6
- SUSE Linux Enterprise Server 11
- SUSE Linux Enterprise Server 10
- SUSE Linux Enterprise Server 9
- Solaris 10 SPARC
- Solaris 8 x86-32
- Solaris 9 x86-32
- Windows 2000 SP4 Advanced Server/Server/Professional
- Windows Server 2003 SP2 Enterprise/Standard x86-32
- Windows Server 2003 SP2 Enterprise/Standard x86-64
- Windows XP SP2 Professional x86-32
- Windows Server 2008 Enterprise/Standard x86-32
- Windows Server 2008 Enterprise/Standard x86-64
- Windows Server 2008 R2 Enterprise x86-32
- Windows Server 2008 R2 Enterprise x86-64
- Windows Vista Business/Enterprise/Ultimate SP2 x86-32
- Windows 7 Enterprise/Professional/Ultimate x86-32
- Windows 7 Enterprise/Professional/Ultimate x86-64
Note: All the versions of the License Server may not run on all of the above platforms.
Remediation/Fixes
The recommended solution is to apply the iFixes provided by IBM as outlined here.
Vendor Fix(es):
For IBM RLKS 8.1.3, 8.1.2 or RLKS 8.1.1 Users
An iFix is available to address this vulnerability. For more information, see the link RLKS 8.1.3 iFixes Download Link to download the fixes and the installation instructions.
How to install the iFixes
To install the Rational License Key Server fix on Windows platforms:
- Download the Windows iFix.zip file.
- Extract the compressed files to an appropriate directory.
- Add the fix pack repository location in Installation Manager as follows:
- Launch IBM Installation Manager.
- Click File > Preferences > Repositories.
- Click Add Repository.
- Browse to or enter the file path to the repository.config file.
The repository.config file is located in the sub-directory "ifix" where you extracted the compressed files.
- Stop the Rational License Key Server before installing the iFix.
Ensure the following processes are not running: - lmgrd
- lmutil
- lmtools
- ibmratl
- On the main page of Installation Manager, click Update.
- Follow the instructions to install the Fix Pack.
- Start the Rational License Key Server.
To install the Rational License Key Server fix on UNIX and Linux platforms:
- Download the iFix.tar file.
- Extract the iFix.tar: tar -xvf <iFix>.tar
- Go to the installation location of the license server.
- Navigate to the config sub-folder.
- Run the start_lmgrd_on_this_host script file with the stop option: ./start_lmgrd_on_this_host stop
- The license server stops. To verify, run the command: ps -ef | grep lmgrd
- Navigate to sub-directory <installation_directory>/base/cots/flexlm.11.8/<Platform>
- Overwrite files in this directory with all the files from the iFix.
- Go to the <installation_directory>/config/ directory.
- Start the license server using the command: ./start_lmgrd_on_this_host start
On UNIX and Linuix platforms, to install the iFix on RLKS 8.1.3, follow the steps mentioned to install the Rational License Key Server fix on Windows platforms.
For IBM RLS 8.x, RLS 7.x and IBM Telelogic License Server 2.0 Users
There are no plans to release fixes for Rational License Server v8.x, v7.x and Telelogic License Server 2.0. IBM recommends all customers using these versions of license servers migrate to IBM Rational License Key server 8.1.3 and update the IBM Rational License Key server 8.1.3 with the fix for the security vulnerability described in this technote.
See the topic Migrate to Rational Common Licensing for instructions on migrating to RLKS 8.1.3.
You can download RLKS 8.1.3 from your Passport Advantage account or from the Rational products Releases web site.
Workarounds and Mitigations
If you do not wish to migrate to the IBM RLKS 8.1.3, you can use one of the possible mitigations outlined in technote 1622284: Mitigations for Rational License Key Server and Vendor Daemon vulnerability.
Get Notified about Future Security Bulletins
References
Acknowledgement
This security vulnerability was reported by [<a href="http://www.zerodayinitiative.com/advisories/ZDI-11-272/">Zero Day Initiative</a>].
Change History
* 16 January 2013: Original copy published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21622287