Security Issues Resolved
The following issues related to FlexNet Operations security were addressed in the 2025 R1 release.
| • | Security Fixes Related to FlexNet Embedded . JAR Files |
| • | Security Fixes Related to Apache Tomcat |
| • | Improved Handling of Potentially Sensitive URLs |
| • | Enforced Authentication in Public Services API |
| • | Fixed Insecure Direct Object Reference Vulnerability in End-User Portal |
| • | Enforcing Account Access Permissions for Portal Users |
| • | Improved Error Handling for Status 500 Errors |
| • | Upgraded Chart.js |
Security Fixes Related to FlexNet Embedded . JAR Files
(Cases 02263480, 02263480, 02545209, 02578008; SWM-14175)
We have addressed several security vulnerabilities identified in the National Vulnerability Database (NVD). The following CVEs have been fixed in this release by using the latest .JAR files from FlexNet Embedded:
| • | CVE-2019-1543 (CVSS 7.4) |
| • | CVE-2019-1551 (CVSS 5.3) |
| • | CVE-2019-1549 (CVSS 5.3) |
| • | CVE-2019-1563 (CVSS 3.7) |
| • | CVE-2019-1547 (CVSS 4.7) |
| • | CVE-2019-1552 (CVSS 3.3) |
Security Fixes Related to Apache Tomcat
(SWM-24993)
Apache vulnerabilities were identified in FlexNet Operations 2024 R1 on-premise. These have been addressed in FlexNet Operations 2025 R1 on-premise by upgrading Apache Tomcat to version 9.0.104. The following vulnerabilities were resolved:
| • | CVE-2024-34750 (CVSS 7.5)—Fixed in Apache Tomcat version 9.0.90 |
| • | CVE-2025-24813 (CVSS 9.8)—Fixed in Apache Tomcat version 9.0.99 |
Improved Handling of Potentially Sensitive URLs
(Case 02916672, SWM-23701)
During a security scan, the following URLs were identified as potentially exposing sensitive information in FlexNet Operations On-Premises:
| • | /flexnet/%2522ns%253D%2522netsparker%25280x00011F%2529 |
| • | /flexnet/c%3a%5cboot.ini |
| • | /flexnet//r87.com/.html |
To address this, all listed URLs now redirect to the login page, with the exception of /flexnet/c%3a%5cboot.ini. Previously, accessing this URL resulted in a 500 Internal Server Error with visible error details. This has been resolved by implementing proper exception handling, and the request now redirects to the sitedown.html page:
Under Maintenance page (sitedown.html) displayed when trying to access the URL /flexnet/c%3a%5cboot.ini.
Resolved XXE Vulnerability in Public Services API
(Case 03287621, SWM-27698)
Revenera has addressed an unauthenticated XML External Entity (XXE) vulnerability in its public services APIs that previously allowed unauthorized access to server files through specially crafted XML requests.
Enforced Authentication in Public Services API
(SWM-22672)
Flexnet Operations has a public API hosted at the following URLs:
| • | https://<site-id>.flexnetoperations.com/flexnet/pubservices/lineitemdetails |
| • | https://<site-id>.flexnetoperations.com/flexnet/pubservices/entitlementdetails |
| • | https://<site-id>.flexnetoperations.com/flexnet/pubservices/registeruser |
| • | https://<site-id>.flexnetoperations.com/flexnet/pubservices/mapentitlement |
Previously, these endpoints could be accessed without any sort of authentication, which is now categorized as a security flaw. In line with modern security practices, these API endpoints now require authentication.
To ease the transition to enforced authentication, the 2024.10 release introduces the configuration Enable authentication for Public Webservices (under System > Configure > FlexNet Operations > General Options). By default, the option is selected and authentication is enforced. Producers who need time to adjust and do not want to enforce authentication for a transition period can unselect the option.
However, Revenera recommend that producers change their systems to enable authentication at the earliest. The Enable authentication for Public Webservices configuration option will be removed in a future release to avoid security exposure and authentication will be fully enforced.
Fixed Insecure Direct Object Reference Vulnerability in End-User Portal
(Case 02889128, SWM-22283)
Unauthorized users can no longer navigate to the Edit Account page (which shows account details) of an account that they do not belong to by changing the ID in the URL of the End-User Portal.
Enforcing Account Access Permissions for Portal Users
(SWM-25459)
Previously, users with the Portal User role could access information that they are not entitled to see, by manipulating URL parameters.
In the 2025 R1 release, it is no longer possible to access information without the necessary permissions, by manipulating URL parameters.
Improved Error Handling for Status 500 Errors
(Case 2889182, SWM-22287)
Previously, status 500 errors could reveal the server hostname in the fault details of the response, which is considered a security risk. Such an error could be triggered by sending a bad request using web services—for example, by attempting to update a user with a typo in the request, like <urn:lastNam>?</urn:lastName>.
This issue has now been addressed, and status 500 errors no longer reveal implementation details.
(Case 02999121, SWM-25776)
The Chart.js library has been upgraded to version 2.9.4 to address potential security vulnerabilities.