License server and java vulnerability
The keywords found in this question may bring you here for reasons other than the previously discussed Log4j vulnerability. This additional answer addresses another common question related to lmadmin and security, namely lmadmin or its accompanying Java installation being flagged by routine server scans for having potential vulnerabilities.
BACKGROUND
lmadmin is a software license manager produced by Revenera (previously Flexera) for their FlexNet software licensing product. FlexSim licenses Revenera's FlexNet technology for use in securing our simulation software. FlexNet is a commonly used license manager, and in addition to FlexSim it has been used by other familiar products such as AutoCAD, MatLab, and many more.
lmadmin is a platform for your license server to host your FlexSim or other FlexNet-enabled licenses, as well as a web interface for the user to configure and manage your license server.
In addition to lmadmin, FlexNet provides another license manager called lmtools. This can be used in place of lmadmin. It is also configured and used on your license server to host your FlexNet-enabled software licenses. It does not include any kind of remote front-end (like lmadmin's web interface), but is instead a small and simple application with a basic interface.
JAVA IS NO LONGER BUNDLED WITH LMADMIN
One of lmadmin's requirements is Java, a programming language and computing platform now owned by Oracle. In the past a required Java platform was included as an integrated part of lmadmin's installer. However, in April 2019 Oracle changed their license model for Java. See Oracle's announcement at https://www.java.com/en/download/ (the yellow box):
lmadmin installers no longer include Java as an integrated component, presumably as a result of these changes to Java's licensing terms.
FLAGGED! SECURITY VULNERABILITIES
As with most software, new vulnerabilities and other bugs are regularly discovered for Java. Consequently Java updates and patches are released on a regular basis. Newer versions of lmadmin are also released several times each year.
If an lmadmin license server has not been kept up to date with these updates and patches, the out-of-date versions of Java and/or lmadmin may be flagged by routine security scans. If this is happening to you, read on.
INSTALLING YOUR OWN VERSION OF JAVA
Because recent lmadmin installers no longer include Java as a bundled part of the installation, it falls to the user to install and update Java individually. There are several alternate versions of Java available that avoid Oracle's licensing and fees. One of these is Amazon Corretto, hosted and maintained by Amazon.
We have tested a recent lmadmin version using Amazon's Corretto, version 11. In our test, we installed the Windows x64 Corretto 11 .msi file downloadable from Amazon here. This is their full Java Development Kit (JDK).
After installing the Corretto 11 JDK, we ran the latest lmadmin installer, which worked flawlessly. If you encounter any issues, you may want to check their Windows installation guide.
Amazon's Corretto is just one alternative, and there may be newer versions of Corretto at this time. Please do your research and pick the most appropriate version of Java for your needs.
RESOLVING SECURITY ISSUES
If you are encountering security alerts in regards to lmadmin and its associated Java platform, you have two main options:
- Uninstall lmadmin and convert to hosting your FlexSim licenses using lmtools. This is FlexSim's preferred method as outlined in the latest version of our license server installation instructions.
- If you must stay with lmadmin, or if you prefer lmadmin, keep both Java and lmadmin up to date:
- Depending on your preferred Java package, search the vendor's website for any updates.
- You can find FlexSim's most recent lmadmin installer here: https://flexs.im/lmadmin-download.
