Known Issue: FME Flow Authentication Bypass Vulnerability in Instances with Imported Azure AD/SAML Accounts

Liz Sanderson
Liz Sanderson
  • Updated
Known Issue ID FMEFLOW-21273
Discovered FME Flow 2023.0
Affects FME Server 2021.2 to 2022.2 and FME Flow 2023.0 
Affected version numbers:
  • 2021.2.*
  • 2022.0.*
  • 2022.1.*
  • 2022.2.0 - 2022.2.7
  • 2023.0.0 - 2023.0.2
Resolved FME Flow 2023.1 

* As of the FME 2023 release, FME Server is now FME Flow. 
 

FME Flow Hosted (formerly FME Cloud) instances are affected if Azure AD or SAML is enabled. We have not identified active exploitation of this vulnerability in any of our products.

 

Symptom

In FME Server 2021.2 to 2022.2 and FME Flow 2023.0, it is possible for an unauthenticated attacker to gain access to the application, leading to system compromise without requiring user interaction. This only affects instances with Azure Active Directory (AD) or SAML user accounts imported to FME Flow. Customers that use Windows AD or the built-in authentication method are not affected.
 

Cause

An authentication flaw in FME Server 2021.2 to 2022.2 and FME Flow 2023.0 could allow an attacker to bypass authentication and generate REST API tokens for Azure AD and SAML user accounts imported to FME Flow. 
 

Severity

Safe Software assesses the severity of this vulnerability as Critical, according to our calculated CVSS score of 9.0. We believe the exploitability of the vulnerability on FME Flow Hosted instances, which are exposed to the internet, is higher. This is our assessment, and you should evaluate its applicability to your own IT environment.

Customers using Windows AD or the built-in authentication method are not affected by this vulnerability.
 

Resolution 

Upgrade/Update FME Flow

Upgrade to FME Flow 2023.1 or update to a new build of FME Flow 2023.0.3+ (b23340+) or FME Server 2022.2.8+ (b22802+), where this issue has been resolved. See the Downloads page for the latest version and our documentation for upgrading instructions for FME Flow and for FME Flow Hosted. If you need assistance upgrading, please contact one of our Partners.
 

Apply Manual Patch

Alternatively, if you are unable to upgrade or update FME Flow, administrators can apply the following patch to any affected version. 

Steps: 

  1. Stop your FME Flow or FME Server instance.
  2. Download the patch file for the release you are targeting. Patch files are attached to this article. 
  3. Navigate to the file paths listed below that are applicable to the release you are patching.
  4. Move the existing server-handler.jar or server-handler-1.0.jar to a safe location.
  5. Place the downloaded patch file where the old server-handler file was. Rename the patch file to match what is shown in the table below. 
  6. Start your FME Flow or FME Server instance.


There are 4-6 locations where the patch file needs to be replaced, depending on the release version. 
For Windows, they can be found in the directory where you installed FME Server or FME Flow (Releases 2023.0+). This is similar for all other platforms, it will be where FME Flow or FME Server is installed.

Example:
If you are using FME Server 2021.2, download the patch file server-handler-1-2021-2-0-1.jar. In the four locations indicated in the table below, replace the existing server-handler file with the patch file. Then, in each location the file was placed, rename server-handler-1-2021-2-0-1.jar to either server-handler.jar or server-handler-1.0.jar, according to the below table.

AzureJarFiles.png\

List of Patch Files by Release Version

2021.2 released builds (oldest to newest)

Release Version Build Number
2021.2.0.1 21789
2021.2.1.0 21797
2021.2.2.0 21806
2021.2.3.0 21812
2021.2.4.0 21814
2021.2.5.0 21816
2021.2.6.0 21821


2022.0 released builds (oldest to newest)

Release Version Build Number
2022.0.0.2 22343
2022.0.1.1 22350

 

2022.1 released builds (oldest to newest)

Release Version Build Number
2022.1.0.0 22618
2022.1.1.0 22623
2022.1.2.0 22627
2022.1.3.9 22630

 

2022.2 released builds (oldest to newest)

Release Version Build Number
2022.2.0.0 22765
2022.2.1.0 22776
2022.2.2.0 22782
2022.2.3.0 22789
2022.2.4.0 22792
2022.2.5.0 22795
2022.2.6.0 22800
2022.2.7.0 22801

 

2023.0 released builds (oldest to newest)

Release Version Build Number Patch File
2023.0.0.3 23319 server-handler-1.0-2023-0-0-3.jar
2023.0.1.0 23332 server-handler-1.0-2023-0-1-0.jar
2023.0.2.0 23339 server-handler-1.0-2023-0-2-0.jar

 

Workarounds

If you are unable to upgrade to FME Flow 2023.1, or update to a new build of FME Flow 2023.0.3+ (b23340+) or FME Server 2022.2.8+ (b22802+), or apply the manual patch, we recommend FME Flow administrators take the following actions:

  1. Individually disable all existing Azure AD or SAML user accounts on the system.  
  2. Disable Azure AD and SAML, to prevent new Azure AD or SAML user accounts from being created. New Azure AD and SAML accounts that are created will still be susceptible to the vulnerability until the above step is applied to them.

 

Reporting Security Issues

If you believe you have discovered a vulnerability in the FME Platform, our website, or our other products, please email us as quickly as possible at security at safe dot com.

We greatly appreciate the efforts of security researchers and discoverers who share information on security issues with us, giving us a chance to improve our products and better protect our users.

Please note that we do not compensate individuals or organizations for identifying potential or confirmed security vulnerabilities.

 

Support

If you have questions or concerns regarding this advisory, please raise a support request
 

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.