- #Codemeter runtime serve r update
- #Codemeter runtime serve r software
- #Codemeter runtime serve r code
- #Codemeter runtime serve r license
#Codemeter runtime serve r license
This is especially relevant for systems or devices where a web browser is used to access a web server) via a specifically crafted Java Script payload, which may allow alteration or creation of license files for when combined with CVE-2020-14515.ĬVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
#Codemeter runtime serve r update
Impact: Unauthorized reading of license information, dongle information and CodeMeter version, and update of licenses.ĬVE description: This vulnerability allows an attacker to use the internal WebSockets API for CodeMeter (All versions prior to 7.00 are affected, including Version 7.0 or newer with the affected WebSockets API still enabled.
Vulnerability: No authentication and origin validation for connections using the CodeMeter Runtime WebSockets API.
#Codemeter runtime serve r software
Impact: A specially crafted license file may cause a crash in the CodeMeter and the software using it.ĬVE description: CodeMeter (All versions prior to 6.81) and the software using it may crash while processing a specifically crafted license file due to unverified length fields.ĬVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Vulnerability: Improper input validation of update files in CodeMeter Runtime. Another alternative is to restrict the functions of the CodeMeter Runtime software by binding its communication to the localhost. The new version is readily available for registered customers as prior versionsīosch Rexroth strongly recommends to operate the Laser Localization Software, ActiveAssist as well as the CodeMeter License Server host machine in a closed network with limited access to the system. It is recommended to update prior versions. It is recommended that all instances using prior versions are updated to this software version once it is made available.Ī new version 1.1 of the installation package for the extension module Tool localization of ActiveAssist is available as of September 24, 2020. The second mitigation alternative is to deactivate access to the WebSocket API (this must be performed on the licensing server-side).Ī new version of the Laser Localization Software (i.e. Laser Localization Software version 1.2) is expected to be available in October 2020. The first is to employ Rexroth Products and their Licensing functions within a closed and/or secure network environment (as described below). If an update is not possible in a timely manner, two mitigation approaches can be followed.
It is strongly recommended that customers update the WIBU Systems CodeMeter Runtime Software hosted in their machines to version Rexroth Laser Localization Software < 1.2 Rexroth ActiveAssist Tool localization extension module < 1.1 These vulnerabilities do not affect the CodeMeter Embedded Software.
#Codemeter runtime serve r code
The successful exploitation of these vulnerabilities can lead to DoS (CVE-2020-14513, CVE-2020-14509), remote code execution (CVE-2020-14509), bypassed encryption (CVE-2020-14517), heap leak on the licensing server-side (CVE-2020-16233) and manipulation or forgery of license files (CVE-2020-14519, CVE-2020-14515).īosch Rexroth recommends to update vulnerable components using the CodeMeter Runtime to version One vulnerability (CVE-2020-14509) is notably critical, as it can easily be exploited by crafting packets sent over any network. In order to successfully exploit these vulnerabilities, an attacker requires access to the network or system. This software is used by multiple Rexroth Products and Bosch Rexroth customers for license management. A set of 6 vulnerabilities affect multiple versions of the WIBU Systems CodeMeter Runtime Software.