Security Issues Resolved in 2024.10
The following issues related to FlexNet Operations security were addressed in the 2024.10 release.
| • | Enforced Authentication in Public APIs |
| • | Fixed Insecure Direct Object Reference Vulnerability in End-User Portal |
Enforced Authentication in Public APIs
Flexnet Operations has a public API hosted at the following URLs:
| • | https://<site-id>.flexnetoperations.com/flexnet/pubservices/lineitemdetails |
| • | https://<site-id>.flexnetoperations.com/flexnet/pubservices/entitlementdetails |
| • | https://<site-id>.flexnetoperations.com/flexnet/pubservices/registeruser |
| • | https://<site-id>.flexnetoperations.com/flexnet/pubservices/mapentitlement |
Previously, these endpoints could be accessed without any sort of authentication, which is now categorized as a security flaw. In line with modern security practices, these API endpoints now require authentication.
To ease the transition to enforced authentication, the 2024.10 release introduces the configuration Enable authentication for Public Webservices (under System > Configure > FlexNet Operations > General Options). By default, the option is selected and authentication is enforced. Producers who need time to adjust and do not want to enforce authentication for a transition period can unselect the option.
However, Revenera recommend that producers change their systems to enable authentication at the earliest. The Enable authentication for Public Webservices configuration option will be removed in a future release to avoid security exposure and authentication will be fully enforced.
Fixed Insecure Direct Object Reference Vulnerability in End-User Portal
Unauthorized users can no longer navigate to the Edit Account page (which shows account details) of an account that they do not belong to by changing the ID in the URL of the End-User Portal.