False Positives Flexera vulnerabilities for Citrix ADM/ADC

book

Article ID: CTX270574

calendar_today

Updated On:

Description

CVE-2019-8960,8961,8962 CVE-2018-20031, CVE-2018-20032, CVE-2018-20033 and CVE-2018-20034

The said vulnerabilities are mitigated for ADC because the license server (internal) is not exposed to the network.The vulnerable component is actually part of a web console with Flexera. This part of the package is not used on ADM and ADC is not impacted by these vulnerabilities because the vulnerable components are not connected to the network. ADM uses a more limited version of flexlm that does not include the vulnerable component.The richest set of Flexera functionality is provided in their product, which is in use elsewhere in Citrix but is not used by ADC/ADM. The ADC/ADM product uses a special FreeBSD variant of a subset of the Flexera functionality, and within that subset of the Flexera components we use a subset of their APIs and features. Due to this narrowed exposure, Flexera security alerts may or may not apply to the ADC/ADM product.

Hence to both ADC/ADM, these vulnerabilities are not applicable.

Issue/Introduction

While running security scan on ADM/ADC, Customer might get a response "A licensing application running on the remote host is affected by multiple vulnerabilities."

Additional Information

Noted in Flexera's security bulletins:
"Please be aware that network access to the FlexNet Publisher License Server would be necessary to perform any attack. Protecting the license server from unauthorized access is essential to minimize the opportunities for any of the vulnerabilities to be exploited. Customers are also strongly advised to follow best practice in protecting the license server from unauthorized access."

Here are the security bulletins from Flexera:
https://community.flexera.com/t5/FlexNet-Publisher-Knowledge-Base/CVE-2018-20031-remediated-in-FlexNet-Publisher/ta-p/94681
https://community.flexera.com/t5/FlexNet-Publisher-Knowledge-Base/CVE-2018-20032-remediated-in-FlexNet-Publisher/ta-p/94680
https://community.flexera.com/t5/FlexNet-Publisher-Knowledge-Base/CVE-2018-20033-remediated-in-FlexNet-Publisher/ta-p/94679
https://community.flexera.com/t5/FlexNet-Publisher-Knowledge-Base/CVE-2018-20034-remediated-in-FlexNet-Publisher/ta-p/94678
https://community.flexera.com/t5/FlexNet-Publisher-Knowledge-Base/CVE-2019-8962-remediated-in-FlexNet-Publisher/ta-p/131062
https://community.flexera.com/t5/FlexNet-Publisher-Knowledge-Base/CVE-2019-8960-remediated-in-FlexNet-Publisher/ta-p/124598
https://community.flexera.com/t5/FlexNet-Publisher-Knowledge-Base/CVE-2019-8961-remediated-in-FlexNet-Publisher/ta-p/124601

Was this article helpful?

thumb_up Yes

thumb_down No

Welcome to "KB Articles"