A: In order to exploit the vulnerability, attackers must have access either to the system itself or to a system on the same network. Attackers must have already broken into or gained access to the network. If they have managed to do so, they can exploit the vulnerability.
Q: Do I have to install the update on all systems?
A: CodeMeter Runtime is affected on all platforms (Windows, macOS, Linux).
Q: My systems are running in a protected environment. Do I still have to install the update?
A: If you can make sure that attackers cannot gain access to your network, then the vulnerability cannot be exploited and an update is not mandatory.
Additional Frequently Asked Questions (Q&A) for software vendors who use CodeMeter for licensing
Q: Do I have to re-encrypt the protected software?
A: No, the security vulnerability only affects components that are installed on systems via CodeMeter Runtime. However, if you have included CodeMeter Runtime in your installer, you would have to replace it.
Q: Does this affect CodeMeter License Central?
A: No, CodeMeter License Central is not affected by this security vulnerability. The CodeMeter License Server used by CodeMeter License Central is not configured to run as a network server.
Q: I do not use CodeMeter Runtime, but rather CodeMeter Embedded for my application. Do I have to patch or adapt the code coming from CodeMeter Embedded?
A: No, the security vulnerability only affects components of the CodeMeter Runtime. The reported vulnerability cannot be exploited with CodeMeter Embedded.
Q: Do I have to apply a firmware update for active CmDongles?
A: No, the security vulnerability only affects components that are installed on systems via CodeMeter Runtime. No functions of the CodeMeter hardware are affected, therefore no firmware update is necessary.
Q: Does the vulnerability allow people to circumvent the licenses or software protection?
A: This security vulnerability does not affect licensing or protections.
Q: Why should I notify my users?
A: Larger companies and institutional clients often actively follow reports on the vulnerabilities of new releases. There is a chance that your users will become aware of the vulnerability. By notifying them proactively, you show that you recognize your responsibility for the security of your users’ systems.