ArcGIS License Manager is built with a third party software component called Flexera FlexNet Publisher. Recently, a CVE (CVE-2015-8277) was released detailing buffer overflow vulnerabilities associated with Flexera FlexNet Publisher. Esri is providing ArcGIS 10.4 License Manager to resolve these Flexera-based vulnerabilities.
Flexera FlexNet Publisher contains a buffer overflow vulnerability that could allow remote code execution – (CWE-130)
A remote unauthenticated attacker may be able to execute arbitrary code or perform a denial of service by exploiting a buffer overflow vulnerability in affected servers. The CVE (CVE-2015-8277) associated with this vulnerability is still undergoing analysis however the Vulnerability Note issued by US CERT has given this vulnerability a CVSS base score of 10.0 (HIGH).
Note: Keep in mind that CVSS base scores do not include temporal or environmental organization-specific factors for calculation. As a best practice, Esri recommends not exposing License Manager externally. Assuming ArcGIS License Manager is not exposed externally and not accessible anonymously, this lowers the CVSS score to 6.8 (MEDIUM).
Esri recommends downloading and installing ArcGIS 10.4 License Manager immediately for all customers that use concurrent licensing while removing their current ArcGIS License Manager. The ArcGIS 10.4 License Manager can be downloaded from My Esri and is available within the ArcGIS for Desktop, ArcGIS Engine, and ArcGIS for Server products. Contact your primary maintenance contact for access to My Esri if you are not authorized to download Esri software. The ArcGIS 10.4 License Manager is compatible with all ArcGIS releases from ArcGIS 10.0 through ArcGIS 10.4. For more information on affected versions, please see the details in the associated Knowledge Base Article.
CWE-130: Improper Handling of Length Parameter Inconsistency
US CERT Vulnerability Note VU#485744
The Security Standards and Architecture team