A possible security vulnerability has been reported in the FlexNet Publisher lmgrd license server manager as well as vendor daemons. There have been no reported exploits of this possible vulnerability, and to date it has not been reported by FlexNetSoftware users.
| Subscribe to My Notifications to be notified of important product support alerts like this.
CVE ID: CVE-2011-1389
Description: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of FlexNet Publisher license server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the license server manager which listens on TCP port 27000. There are multiple problems that allow an attacker to influence the saving and loading of log files on the server. By utilizing a directory traversal issue and some file renaming bugs, an attacker can leverage this vulnerability to execute arbitrary code under the user context running the license server manager/vendor daemon.
CVSS Base Score: 10 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/71739> for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
This vulnerability impacts the following license server:
The list of platforms affected by this vulnerability is as follows.
Note**:** All the versions of the License Server may not run on all of the above platforms.
The recommended solution is to apply the iFixes provided by IBM as outlined here.
Vendor Fix(es):
For IBM RLKS 8.1.3, 8.1.2 or RLKS 8.1.1 Users
An iFix is available to address this vulnerability. For more information, see the link RLKS 8.1.3 iFixes Download Link to download the fixes and the installation instructions.
How to install the iFixes
To install the Rational License Key Server fix on Windows platforms:
Download the Windows iFix.zip file.
Extract the compressed files to an appropriate directory.
Add the fix pack repository location in Installation Manager as follows:
1. Launch IBM Installation Manager.
2. Click** File > Preferences > Repositories.** 3. ClickAdd Repository.
4. Browse to or enter the file path to the repository.config file.
The repository.config file is located in the sub-directory “ifix” where you extracted the compressed files.
Stop the Rational License Key Server before installing the iFix.
Ensure the following processes are not running:
lmgrd
lmutil
lmtools
ibmratl
On the main page of Installation Manager, click Update.
Follow the instructions to install the Fix Pack.
Start the Rational License Key Server.
To install the Rational License Key Server fix on UNIX and Linux platforms:
Download the iFix.tar file.
Extract the iFix.tar: tar -xvf <iFix>.tar
Go to the installation location of the license server.
Navigate to the config sub-folder.
Run the start_lmgrd_on_this_host script file with the stop option: ./start_lmgrd_on_this_host stop
The license server stops. To verify, run the command: ps -ef | grep lmgrd
Navigate to sub-directory `<installation_directory>/base/cots/flexlm.11.8/<Platform>
`
8. Overwrite files in this directory with all the files from the iFix.
Go to the <installation_directory>/config/
directory.
Start the license server using the command: ./start_lmgrd_on_this_host start
On UNIX and Linuix platforms, to install the iFix on RLKS 8.1.3, follow the steps mentioned to install the Rational License Key Server fix on Windows platforms.
_For IBM RLS 8.x, RLS 7.x and IBM Telelogic License Server 2.0 Users _
There are no plans to release fixes for Rational License Server v8.x, v7.x and Telelogic License Server 2.0. IBM recommends all customers using these versions of license servers migrate to IBM Rational License Key server 8.1.3 and update the IBM Rational License Key server 8.1.3 with the fix for the security vulnerability described in this technote.
See the topic Migrate to Rational Common Licensing for instructions on migrating to RLKS 8.1.3.
You can download RLKS 8.1.3 from your Passport Advantage account or from the Rational products Releases web site.
If you do not wish to migrate to the IBM RLKS 8.1.3, you can use one of the possible mitigations outlined in technote 1622284: Mitigations for Rational License Key Server and Vendor Daemon vulnerability.