Thanks for posting to the Community.
Did you manage to find an answer to this question? Please share anything you can here, it might help someone with a similar question.
Hi Michael, no I have not heard a response. One would think the response needs to come from an Ivanti employee (such as yourself?).
One would assume, based on version numbers, that 2016 SP3 mitigates this CVE, though the timing of the CVE publishing has me unsure, hence my posting.
I am running 10.1 (AKA SU1 or 2016-0830B or 2016.3 or 10.1) and the collector.exe is v. 10.1.0.168 dated 9/21/2016. It is later version than the one you posted.
There is an entry into the community about this CVE-2016-3147: Collector.exe Denial-of-Service
LANDESK is aware of the vulnerability inside of collector.exe which is currently used by our Alerting component. This problem is fixed in 2016.3 and newer, and 9.6 SP3 SU1 and newer. Please update and update your agents to resolve this issue.
Fixed in file version: 10.1.0.168 (2016.3), 126.96.36.199 (9.6 SP3 SU2)
I hope this helps you.
1 of 1 people found this helpful
jabramson - Thank you kindly for posting the correct links & information up. Nicely detailed . (Marked it as the correct answer, as you've got all the bases covered).
alarson - yes, we usually get tagged about CVE's affecting us pretty quick & try to deal with them as quickly as possible. Usually each such CVE has its own bulletin on the community (where we detail whether or not we're affected. For instance, while a lot of the SSL issues of the last few years didn't really affect us, we still bumped those files up to ensure that folks can rest easy from the "verifiable" point of view, not just a technical explanation).
The article pointed to above covering this CVE was published about 24 hrs after your initial post, so you just got in a little early with it, before we had something official up (which comes after initial technical evaluation, as we try to have some useful facts to post first).
Hope that helps? .