The Sustainsys.Saml2 library has been upgraded to version 1.0.2.

FlexNet Manager Suite version 2022 R1

Due to the CVE-2020-5268 security vulnerability, the Sustainsys.Saml2 library has been upgraded to version 1.0.2.

The security vulnerability impacts FlexNet Manager Suite versions 2016 R1 SP1 (released December 15th 2016) onwards, and remediation actions have been taken to ensure that this vulnerability is now fixed in FlexNet Manager Suite 2022 R1.

CVE-2020-5268 summary

The Sustainsys.Saml2 library incorrectly treats all incoming tokens as bearer tokens, even though they have another subject confirmation method specified. Attackers can take advantage of this vulnerability to get access to Saml2 tokens with another subject confirmation method than bearer. The attacker can then use such a token to create a log in session.

What you need to do

In order to fix the vulnerability in your environment, do the following:
  • Upgrade to FlexNet Manager Suite 2022 R1.
    Note: Prior to upgrading, please make a copy of your current kentor.authservices configuration from the web.config file. This information is needed for later.

    After you have upgraded to FlexNet Manager Suite 2022 R1, you then need to complete the following two actions:

  • Apply the kentor.authservices configuration that was used in your previous version of FlexNet Manager Suite, to the new sustainsys.saml2 section in the web.config file.
    • Attributes and properties remain the same, and no values need to be updated. All that is required, is a copy and paste of the kentor.authservices configuration from the FlexNet Manager Suite version you upgraded from, to the new sustainsys.saml2 section in the web.config file. Note: Ensure that the authenticationType attribute in the signOn element is set to Saml.
  • Update the single sign on and single logout URLs for the identity provider.
    • Update https://wapsvr/Suite/AuthServices/Logout to https://wapsvr/Suite/Saml2/Logout.
    • Update https://wapsvr/Suite/AuthServices/Acs to https://wapsvr/Suite/Saml2/Acs.

Customers using SSO will not be able to log into FlexNet Manager Suite 2022 R1 unless they have completed the actions noted above.

The FlexNet Manager Suite 2022 R1 upgrade is not mandatory, and SSO authentication will continue to work normally for existing releases and fresh installs. However, customers running FlexNet Manager Suite versions 2016 R1 SP1 onwards are susceptible to the CVE-2020-5268 security vulnerability.

FlexNet Manager Suite (On-Premises)

2022 R1