Altair License Manager 15.5.0 has a Java vulnerability that needs to be fixed immediately
Altair License Manager 15.5.0 has a Java vulnerability that needs to be fixed immediately. Please see the attached screenshot. Our system admins will be blocking the tool shortly which means that my users will no longer be able to run Altair. So our need is urgent.
Thank you,
Scott Nelson
Answers
-
Hi Scott,
The java runtime environment has a massive surface area and bugs - including vulnerabilities are found and fixed constantly. We release the ALM and include the latest JRE, and unfortunately, it goes out of date within days.
It is worth noting that the license server itself is not java. Only the included URT and license parser utilities. The parser is there for convenience and is never run automatically. The URT is run automatically once per week and only communicates with trusted servers, it does not listen for incoming connections.
So having a JRE on disk with some vulnerability only makes the system vulnerable if it is used in such a way that it can be exploited, the way we’re using the JRE there is very little risk since it is not listening for network connections or handling data from untrusted sources.
Ultimately if they’re still concerned, they can delete the installer_bundled_jre folder as that is only there for the uninstaller. If they want to uninstall later, it will try to find an appropriate java executable in the environment. If they want to replace the JRE installed in the jre folder that is used by the URT and parser with something else, they can do that. They would need to update the urt and parser driver scripts in the bin subdirectory to use their provided java. They’d have a .bat or .sh extension depending on whether they’re on Windows or Linux respectively.
I hope this helps provide appropriate guidance to your IT teams.
0
Altair Employee