Security Issues Resolved
The following security issues were addressed in the 2023 R1 release.
Restricted File Types for File Import
The browser file upload dialogs in the Producer Portal and End-User Portal now restrict the types of files that can be imported. Valid file types depend on the product area and are as follows:
|
•
|
System > Configure > Import: *.jar |
|
•
|
Usage > Upload Historical Usage: *.csv |
|
•
|
Licenses > Manual Activation: *.xml |
|
•
|
Licenses > Manual Repair: *.xml |
|
•
|
Licenses > Manual Return: *.xml |
|
•
|
Devices > Offline Device Management > Generate license or confirm license reduction or return: *.xml, *.bin, *key |
|
•
|
Devices > Offline Device Management > Upload synchronization history: *.xml, *.bin, *.syncref |
|
•
|
Administer > Identities > Create Identity: *.bin |
|
•
|
Administer > Identities > Update Identity: *.bin |
|
•
|
Entitlements > List Entitlements > select an entitlement > Next > Web Register Key: *.xml |
|
•
|
License Support > Manual Return: *.xml |
|
•
|
License Support > Manual Repair: *.xml |
|
•
|
Devices > Offline Device Management > Generate license or confirm license reduction or return: *.xml, *.bin, *key |
|
•
|
Devices > Offline Device Management > Upload synchronization history: *.xml, *.bin, *.syncref |
|
•
|
Activation & Entitlements > Offline Trusted Activation: *.xml |
File Type Extensions in File Import no Longer Case Sensitive
When importing files into FlexNet Operations, the file extension is no longer treated as case sensitive.
Configuration Added for Avoiding Concurrent Sessions in Producer Portal and End-User Portal
A new configuration Prevent multiple browser sessions enables producers to disallow concurrent sessions in the Producer Portal and End-User Portal. The option is located under System > Configure > FlexNet Platform Server > General Options.
By default, multiple browser sessions are allowed. When multiple browser sessions are disallowed, users can still open multiple tabs.
Configuration Added for Locking Out Users After Repeatedly Providing an Incorrect Security Answer
In the Producer Portal and End-User Portal, the password reset page is followed by a request for the correct response to the user's security question. Configuration options are now available to enable FlexNet Operations to lock out users after they repeatedly provided the wrong security answer:
|
•
|
System > Configure > Validators > Lock out user upon repeated security question attempts—Enable this option to lock out a user for a set amount of time after they repeatedly provided the wrong security answer when attempting to reset their password. The number of consecutive failed attempts is defined as part of the FlexNet Platform Server configuration, under System > Configure > FlexNet Platform Server > Consecutive attempts to provide correct security answer. |
|
•
|
System > Configure > Validators > Lockout period after failed security question attempts—The number of minutes a user is locked out before allowed to answer the security question again. |
These parameters work in conjunction with the following parameter, which sets the limit on the number of consecutive security question attempts allowed before a user is locked out.
System > Configure > FlexNet Platform Server > General Options > Consecutive attempts to provide correct security answer
Any error messages that are displayed as a result of the user entering the wrong security answer are currently available in English only.
This added functionality is part of an ongoing effort to improve overall FlexNet Operations security.
Third-Party Component moment.js Upgrade
moment.js has been upgraded to version 2.29.3 to address potential security issues.