We have an important update for the StruSoft License Server which we have decided to share with all Customers.
Please help us to share the following information with your IT Department, or the person responsible for managing your StruSoft Software License Server.
What is the Issue?
We are currently investigating CVE-2021-44228, a critical vulnerability that’s affecting a Java logging package log4j which is used in Flexera license server ‘lmadmin’ from Revenera.
This is the system that administrates your StruSoft software licenses. Revenera is actively working with their product teams to review Software Composition Analysis scans of their products to determine the impact.
How to solve this?
In the meantime there is an immediate solution to solve the issue. Please access ‘lmadmin’ and change the environmental variable setting LOG4J_FORMAT_MSG_NO_LOOKUPS to TRUE on the license server.
‘lmadmin’ will need to be restarted after adding the environmental variable for the entire server to be safe.
We strongly recommend all StruSoft Customers do this.
Older versions 11.14 of ‘lmadmin’ and alternative license service type ‘lmtools’ are not affected by this vulnerability.
As soon as Revenera has solved this issue, we will send out an updated version of ‘lmadmin’.
Please find more information below:
CVE Definition: https://nvd.nist.gov/vuln/detail/CVE-2021-44228
Expanded CVE Definition: https://www.cve.org/CVERecord?id=CVE-2021-44228
Apache Security Site for CVE severity, score, and vector string: https://logging.apache.org/log4j/2.x/security.html
If you have any questions or need any help with this, please contact our Support Team here: https://strusoft.freshdesk.com/en/support/home