CodeMeter 7.10aRelease Date: 2020-Sep-16
Operating Systems Windows, Linux, Mac OS X
Download Windows (47.15MB): Click HereInfoNotice of published security vulnerabilitiesFor CodeMeter several security vulnerabilities have been reported to us by a security service provider, which have been published on September 8th, 2020. Some of the vulnerabilities have been fixed in already released versions of CodeMeter. Further improvements are included in this version. A detailed overview of the vulnerabilities is available at
https://www.wibu.com/support/security-advisories.html. Due to the classification of the vulnerabilities Wibu-Systems strongly recommends an update to this version. Due to the backwards compatibility this is usually possible without problems, but should be discussed with the manufacturer of the software licensed with CodeMeter.
Introduction of a new version of the WebSocket API with Origin CheckThe WebSocket API has been enhanced with an Origin Check. Each call must be accompanied by a certificate issued by Wibu-Systems, which confirms for the called website that the requested WebSocket API calls are allowed for the Firm Code contained in the certificate. The WebSocket API with Origin Verification replaces the previous versions of the WebSocket API without Origin Verification. The previous protocol variants without Origin Verification are disabled by default (CVE-2020-14519). The WebSocket API without Origin Verification can be enabled by setting the profiling entry 'CmWebSocketAllowWithoutOriginCheck'='1'. Such activation is not recommended. The new WebSocket API with Origin Check ignores the previously possible deactivation by setting the profiling entry 'CmWebSocketApi'='0'. This means that it is always active, even if the WebSocket API without Origin Verification was previously disabled using this switch for security reasons.
Bugfixes:FB64290: CodeMeter License Server: In the network protocol it is internally noted whether the connection is local or remote. CodeMeter.exe now checks the content of the package and therefore does not accept remote connections as local connections any more
FB71272: CodeMeter License Server: Due to a lack of parameter check it was possible to bring the CodeMeter License Server to a standstill (Denial of Service (DoS)) using specially generated TCP/IP packets. (CVE-2020-14509).
FB71354: CodeMeter License Server: A missing check of the received data volume caused a heap overflow, which could lead to a Denial of Service (DoS) or possibly remote code execution (CVE-2020-14509).
FB71172: CodeMeter License Server: During license borrowing the licenses of contained module items were not correctly assigned at the sender.
FB71174: CodeMeter License Server: License Tracking: Module items with an inherited number of licenses were not correctly considered in license tracking. The license of a module item indirectly borrowed due to inheritance is now also listed as borrowed.
FB71542: CodeMeter License Server: WibuCmNET.dll: A .NET application built or encrypted against version 7.0 could not be started with newer versions of CodeMeter. A corresponding policy was missing.