Known Issue ID | FMESERVER-18289 |
---|---|
CVE | CVE-2022-38342 [Medium] |
Discovered | FME Server 2021.2.3 and 2022.0 |
Affects | All Versions of FME Server |
Resolved | FME Server 2021.2.6 and 2022.0.0.2 |
This known issue affects all versions of FME Server. Public-facing FME Server instances, including FME Cloud, are at higher risk. We have not identified any active exploitation of these vulnerabilities in any of our products.
Symptom
CVE-2022-38342 [NIST Medium severity]: A user who has been granted access permissions on Repositories as well as Read and Publish permissions on any Repository is able to carry out an XML external entity (XXE) injection attack. This can result in server-side request forgery and data exfiltration attacks.
Cause
The workspace file format (.fmw) can be manipulated to import an external file.
Resolution
Upgrade FME Server to 2021.2.6, 2022.0.2, or newer where this issue has been resolved. See the Downloads page for the latest version and our documentation for upgrading instructions. If you need assistance upgrading, please contact one of our Partners.
If you are unable to upgrade at this time, please ensure strict firewall rules are implemented to limit outbound traffic to FME Server. In addition, it is also recommended to limit workspace upload access to only trusted users by limiting role permissions.
Recognition
Safe would like to thank Cycura Data Protection Corp. for making this responsible disclosure to us and recognize their contribution to increasing the security standard of FME.
Reporting Security Issues
If you believe you have discovered a vulnerability in FME, our website, or our other products, please email us as quickly as possible at security (at) safe (dot) com.
We greatly appreciate the efforts of security researchers and discoverers who share information on security issues with us, giving us a chance to improve our products and better protect our users.
Please note that we do not compensate individuals or organizations for identifying potential or confirmed security vulnerabilities.
Comments
0 comments
Please sign in to leave a comment.