FAQ – Security Advisory 210423-01

Udział:

FAQ last updated: 2021-06-15

Frequently Asked Questions (Q&A)

Q: How critical is the situation in practice?

A: In order to exploit the vulnerability, attackers must have access either to the system itself or to a system on the same network. Attackers must have already broken into or gained access to the network. If they have managed to do so, they can exploit the vulnerability.

Q: Do I have to install the update on all systems?

A: CodeMeter Runtime is affected on all platforms (Windows, macOS, Linux).

Q: My systems are running in a protected environment. Do I still have to install the update?

A: If you can make sure that attackers cannot gain access to your network, then the vulnerability cannot be exploited and an update is not mandatory.

Additional Frequently Asked Questions (Q&A) for software vendors who use CodeMeter for licensing

Q: Do I have to re-encrypt the protected software?

A: No, the security vulnerability only affects components that are installed on systems via CodeMeter Runtime. However, if you have included CodeMeter Runtime in your installer, you would have to replace it.

Q: Does this affect CodeMeter License Central?

A: No, CodeMeter License Central is not affected by this security vulnerability. The CodeMeter License Server used by CodeMeter License Central is not configured to run as a network server.

Q: I do not use CodeMeter Runtime, but rather CodeMeter Embedded for my application. Do I have to patch or adapt the code coming from CodeMeter Embedded?

A: No, the security vulnerability only affects components of the CodeMeter Runtime. The reported vulnerability cannot be exploited with CodeMeter Embedded.

Q: Do I have to apply a firmware update for active CmDongles?

A: No, the security vulnerability only affects components that are installed on systems via CodeMeter Runtime. No functions of the CodeMeter hardware are affected, therefore no firmware update is necessary.

Q: Does the vulnerability allow people to circumvent the licenses or software protection?

A: This security vulnerability does not affect licensing or protections.

Q: Why should I notify my users?

A: Larger companies and institutional clients often actively follow reports on the vulnerabilities of new releases. There is a chance that your users will become aware of the vulnerability. By notifying them proactively, you show that you recognize your responsibility for the security of your users’ systems.

 

Do góry