Software security vulnerabilities and their risks have become a topic of regular discussion, especially in the IT world. LOGIC Solutions Group supports Safe Software’s decision to roll out this security vulnerability patch for FME Server 2021 and 2022. Please review the articles below from Safe to understand your organization’s exposure better. If your organization uses FME Server and are impacted by or interested in proactively addressing these vulnerabilities, we are here to help address any concerns.
From Safe Software:
We have released an update to FME Server that addresses six vulnerabilities in FME Server that were recently discovered and disclosed to us privately. This update, available in FME 2021.2.6 and 2022.0.1.1, fixes the majority of these vulnerabilities and is available for download here. We have also published mitigation guidance for users to further protect their FME Server (viewable by registered FME Community users only).
The six identified vulnerabilities affect all versions of FME Server. Public-facing FME Server instances, including FME Cloud, are at higher risk. FME Desktop is not impacted. We have not identified any active exploitation of these vulnerabilities in any of our products.
To learn how to limit your exposure and mitigate these issues, please see the below articles:
1) Known Issue: FME Server unauthenticated and authenticated stored cross-site scripting (XSS) Vulnerabilities
https://go.safe.com/e/702933/-Scripting-XSS-Vulnerabilities/2gn6cc/501950983?h=q419HBNmr4bh3gHt7joiGF0O8lVfugCv9i0Uzu37Yk8
2) Known Issue: FME Server vulnerability with arbitrary path traversal and file upload
https://go.safe.com/e/702933/path-traversal-and-file-upload/2gn6cg/501950983?h=q419HBNmr4bh3gHt7joiGF0O8lVfugCv9i0Uzu37Yk8
3) Known Issue: FME Server XXE vulnerability via adding a repository item
https://go.safe.com/e/702933/y-via-adding-a-repository-item/2gn6ck/501950983?h=q419HBNmr4bh3gHt7joiGF0O8lVfugCv9i0Uzu37Yk8
4) Known Issue: Arbitrary file upload with any authenticated FME Server account
https://go.safe.com/e/702933/thenticated-FME-Server-account/2gn6cn/501950983?h=q419HBNmr4bh3gHt7joiGF0O8lVfugCv9i0Uzu37Yk8
5) Known Issue: Lack of server-side validation when creating a new user in FME Server
https://go.safe.com/e/702933/ating-a-new-user-in-FME-Server/2gn6cr/501950983?h=q419HBNmr4bh3gHt7joiGF0O8lVfugCv9i0Uzu37Yk8
6) Known Issue: FME Server missing validation which may result in an unwanted redirect upon login
https://go.safe.com/e/702933/n-unwanted-redirect-upon-login/2gn6cv/501950983?h=q419HBNmr4bh3gHt7joiGF0O8lVfugCv9i0Uzu37Yk8