January 12, 2018

This notice applies to customers that are using Usage Based Licensing (UBL) with Deadline 9 or 10, and are currently using the Deadline License Forwarder to enable UBL Web Forwarding. UBL Web Forwarding is only required if you are using UBL with Deadline Slaves that do not have access to the internet. This option allows the Deadline Slaves to use the License Forwarder as a proxy, instead of connecting directly to the Cloud License Server (CLS), and is documented here:

We have identified a vulnerability in the Certificate Utility required for this feature. If you are using this feature, this vulnerability requires your immediate attention.

A certificate authority (CA) certificate was insecurely embedded in previous versions of the Certificate Utility. We have modified the Certificate Utility to securely generate a CA certificate unique to each installation, and to remove the insecure CA certificate when used on Deadline Slaves.

If you are using UBL with Deadline 9 or 10, please follow the corrective actions below to address the vulnerability.

Step 1: Confirm that you’re using Deadline 9 or 10

Open up any of the Deadline applications (Monitor, Slave, etc) and click on the Help menu. The “About” menu item will show the Deadline version. If it is not 9.0 or 10.0, you can stop reading.

Step 2: Confirm that you’re running the Deadline License Forwarder

Use the Deadline Monitor and open up the License Forwarder panel. Refer to this link for details:


If there are no running instances, then you can stop reading. You are not running the License Forwarder, and are therefore not using it for Web Forwarding.

Step 3: Confirm whether or not you’re using Deadline UBL, and if you have Web Forwarding enabled

Use the Deadline Monitor, enter Super User Mode from the Tools menu, then select Tools -> Configure Repository Options. Click on the Usage Based Licensing page, which will bring up the configuration page seen here:


If the URL field under Usage Based Licensing Settings is blank, then you are not using Deadline UBL, and you can stop reading.

If you are using Deadline UBL, look for the check box called “Use License Forwarder for Usage Based Licensing” or “Enable Web Forwarding” (the name changed in Deadline 10.0.9). If this check box is unchecked, then you are not using Web Forwarding, and you can stop reading.

If you’ve confirmed that you’re using Deadline UBL and Web Forwarding, please continue to Step 4.

Step 4: Download the new Certificate Utility, regenerate the certificate, and reinstall it on your Deadline Slaves

  1. Download the new Certificate Utility from https://downloads.thinkboxsoftware.com/ by logging in with your AWS or Amazon account. Then select Deadline 9.0 or Deadline 10.0 from the version list, click the Download button, and choose the Certificate Utility installer for the appropriate operating system(s) that your Deadline License Forwarder and Deadline Slaves are running.
  2. Run the Certificate Utility on the License Forwarder to generate the new certificate, as documented here: https://docs.thinkboxsoftware.com/products/deadline/10.0/1_User%20Manual/manual/licensing-web-forwarding.html#setup-license-forwarder
  3. After generating the certificate, run the Certificate Utility on the Deadline Slave machines to install the new certificate, as documented here: https://docs.thinkboxsoftware.com/products/deadline/10.0/1_User%20Manual/manual/licensing-web-forwarding.html#setup-slaves

Note that the old certificate will be replaced with the new certificate as part of this process. If you had installed the certificate on the Deadline Slaves manually, you will need to manually remove them from the Deadline Slave machines. Please contact Thinkbox Support if  you have any questions: http://www.thinkboxsoftware.com/support-links/

These steps will resolve the issue for your farm. We apologize for any inconvenience this may cause.

Thank you.