Forgive me because I'm not entirely sure of the details for this question but was asked by our IT department to find out....
I remember the license server having something about it that involved Java. Is this affected at all with the latest java vulnerability reported on Friday?
This answer is in regards to the recent Log4j vulnerabilities described in CVE-2021-44228, CVE-2021-45046, CVE-2021-4104, and CVE-2021-45105.
FlexSim Simulation Software is NOT affected
To be clear, FlexSim Simulation Software itself does not include this package and is therefore not susceptible to these vulnerabilities.
License managers are NOT affected
Your FlexSim licenses are either standalone (activated directly in the software on a client PC) or network-based, where the licenses are hosted on a customer-owned and managed license server. Standalone licensing is not affected by these vulnerabilities.
For network-based licensing, your organization maintains a license server that hosts your FlexSim licenses using a Revenera FlexNet license manager - either lmadmin or lmtools+lmgrd.
lmtools+lmgrd does not include the Log4j package.
If you are hosting your network licenses using lmadmin, please note that lmadmin DOES include a version of Log4j, though the Log4j package is not used as part of the license hosting service.
FNP [FlexNet Publisher, i.e. lmadmin] is not vulnerable to log4j vulnerability. It is just used in the example. Customers can also modify on their own [see workaround for older versions].
New lmadmin installer includes updated Log4j
While Revenera indicates that lmadmin is not vulnerable, customers are rightfully wary of having the vulnerable files on their filesystems in any way. For this reason, Revenera has released an update to lmadmin which includes in its example files the patched 2.17.0 version of Log4j. You can download the most recent lmadmin installer at https://flexs.im/lmadmin-download.
Consider lmtools
FlexSim recommends hosting your network-based FlexSim licenses using lmtools+lmgrd instead of lmadmin. This preference is reflected in our latest instructions for installing a FlexSim license server.
Various reasons led us to recommending lmtools+lmgrd over lmadmin, including better compatibility with many of our clients' preexisting licensing ecosystems, simpler installation, configuration, and maintenance, as well as lmtools+lmgrd's lack of external dependencies like Java.
If you must use or prefer using lmadmin over lmtools+lmrgd, please note that FlexSim is 100% compatible with lmadmin.
The keywords found in this question may bring you here for reasons other than the previously discussed Log4j vulnerability. This additional answer addresses another common question related to lmadmin and security, namely lmadmin or its accompanying Java installation being flagged by routine server scans for having potential vulnerabilities.
BACKGROUND
lmadmin is a software license manager produced by Revenera (previously Flexera) for their FlexNet software licensing product. FlexSim licenses Revenera's FlexNet technology for use in securing our simulation software. FlexNet is a commonly used license manager, and in addition to FlexSim it has been used by other familiar products such as AutoCAD, MatLab, and many more.
lmadmin is a platform for your license server to host your FlexSim or other FlexNet-enabled licenses, as well as a web interface for the user to configure and manage your license server.
In addition to lmadmin, FlexNet provides another license manager called lmtools. This can be used in place of lmadmin. It is also configured and used on your license server to host your FlexNet-enabled software licenses. It does not include any kind of remote front-end (like lmadmin's web interface), but is instead a small and simple application with a basic interface.
JAVA IS NO LONGER BUNDLED WITH LMADMIN
One of lmadmin's requirements is Java, a programming language and computing platform now owned by Oracle. In the past a required Java platform was included as an integrated part of lmadmin's installer. However, in April 2019 Oracle changed their license model for Java. See Oracle's announcement at https://www.java.com/en/download/ (the yellow box):
lmadmin installers no longer include Java as an integrated component, presumably as a result of these changes to Java's licensing terms.
FLAGGED! SECURITY VULNERABILITIES
As with most software, new vulnerabilities and other bugs are regularly discovered for Java. Consequently Java updates and patches are released on a regular basis. Newer versions of lmadmin are also released several times each year.
If an lmadmin license server has not been kept up to date with these updates and patches, the out-of-date versions of Java and/or lmadmin may be flagged by routine security scans. If this is happening to you, read on.
INSTALLING YOUR OWN VERSION OF JAVA
Because recent lmadmin installers no longer include Java as a bundled part of the installation, it falls to the user to install and update Java individually. There are several alternate versions of Java available that avoid Oracle's licensing and fees. One of these is Amazon Corretto, hosted and maintained by Amazon.
We have tested a recent lmadmin version using Amazon's Corretto, version 11. In our test, we installed the Windows x64 Corretto 11 .msi file downloadable from Amazon here. This is their full Java Development Kit (JDK).
After installing the Corretto 11 JDK, we ran the latest lmadmin installer, which worked flawlessly. If you encounter any issues, you may want to check their Windows installation guide.
Amazon's Corretto is just one alternative, and there may be newer versions of Corretto at this time. Please do your research and pick the most appropriate version of Java for your needs.
RESOLVING SECURITY ISSUES
If you are encountering security alerts in regards to lmadmin and its associated Java platform, you have two main options:
14 People are following this question.
FlexSim can help you understand and improve any system or process. Transform your existing data into accurate predictions.
FlexSim is a fully 3D simulation software environment. FlexSim can be used to simulate any process in any industry.
FlexSim®, FlexSim Healthcare™, Problem Solved.®, the FlexSim logo, the FlexSim X-mark, and the FlexSim Healthcare logo with stylized Caduceus mark are trademarks of FlexSim Software Products, Inc. All rights reserved.
