Files
Known Issue ID | FMEFLOW-21273 |
---|---|
Discovered | FME Flow 2023.0 |
Affects | FME Server 2021.2 to 2022.2 and FME Flow 2023.0 Affected version numbers:
|
Resolved | FME Flow 2023.1 |
* As of the FME 2023 release, FME Server is now FME Flow.
FME Flow Hosted (formerly FME Cloud) instances are affected if Azure AD or SAML is enabled. We have not identified active exploitation of this vulnerability in any of our products.
Symptom
In FME Server 2021.2 to 2022.2 and FME Flow 2023.0, it is possible for an unauthenticated attacker to gain access to the application, leading to system compromise without requiring user interaction. This only affects instances with Azure Active Directory (AD) or SAML user accounts imported to FME Flow. Customers that use Windows AD or the built-in authentication method are not affected.
Cause
An authentication flaw in FME Server 2021.2 to 2022.2 and FME Flow 2023.0 could allow an attacker to bypass authentication and generate REST API tokens for Azure AD and SAML user accounts imported to FME Flow.
Severity
Safe Software assesses the severity of this vulnerability as Critical, according to our calculated CVSS score of 9.0. We believe the exploitability of the vulnerability on FME Flow Hosted instances, which are exposed to the internet, is higher. This is our assessment, and you should evaluate its applicability to your own IT environment.
Customers using Windows AD or the built-in authentication method are not affected by this vulnerability.
Resolution
Upgrade/Update FME Flow
Upgrade to FME Flow 2023.1 or update to a new build of FME Flow 2023.0.3+ (b23340+) or FME Server 2022.2.8+ (b22802+), where this issue has been resolved. See the Downloads page for the latest version and our documentation for upgrading instructions for FME Flow and for FME Flow Hosted. If you need assistance upgrading, please contact one of our Partners.
Apply Manual Patch
Alternatively, if you are unable to upgrade or update FME Flow, administrators can apply the following patch to any affected version.
Steps:
- Stop your FME Flow or FME Server instance.
- Download the patch file for the release you are targeting. Patch files are attached to this article.
- Navigate to the file paths listed below that are applicable to the release you are patching.
- Move the existing server-handler.jar or server-handler-1.0.jar to a safe location.
- Place the downloaded patch file where the old server-handler file was. Rename the patch file to match what is shown in the table below.
- Start your FME Flow or FME Server instance.
There are 4-6 locations where the patch file needs to be replaced, depending on the release version.
For Windows, they can be found in the directory where you installed FME Server or FME Flow (Releases 2023.0+). This is similar for all other platforms, it will be where FME Flow or FME Server is installed.
Example:
If you are using FME Server 2021.2, download the patch file server-handler-1-2021-2-0-1.jar. In the four locations indicated in the table below, replace the existing server-handler file with the patch file. Then, in each location the file was placed, rename server-handler-1-2021-2-0-1.jar to either server-handler.jar or server-handler-1.0.jar, according to the below table.
\
List of Patch Files by Release Version
2021.2 released builds (oldest to newest)
- Patch File: server-handler-1-2021-2-0-1.jar
Release Version | Build Number |
---|---|
2021.2.0.1 | 21789 |
2021.2.1.0 | 21797 |
2021.2.2.0 | 21806 |
2021.2.3.0 | 21812 |
2021.2.4.0 | 21814 |
2021.2.5.0 | 21816 |
2021.2.6.0 | 21821 |
2022.0 released builds (oldest to newest)
- Patch file: server-handler-1.0_2022_0_0_2.jar
Release Version | Build Number |
---|---|
2022.0.0.2 | 22343 |
2022.0.1.1 | 22350 |
2022.1 released builds (oldest to newest)
- Patch file: server-handler-1.0_2022_1_0_0.jar
Release Version | Build Number |
---|---|
2022.1.0.0 | 22618 |
2022.1.1.0 | 22623 |
2022.1.2.0 | 22627 |
2022.1.3.9 | 22630 |
2022.2 released builds (oldest to newest)
- Patch file: server-handler-1.0_2022_2_0_0.jar
Release Version | Build Number |
---|---|
2022.2.0.0 | 22765 |
2022.2.1.0 | 22776 |
2022.2.2.0 | 22782 |
2022.2.3.0 | 22789 |
2022.2.4.0 | 22792 |
2022.2.5.0 | 22795 |
2022.2.6.0 | 22800 |
2022.2.7.0 | 22801 |
2023.0 released builds (oldest to newest)
Release Version | Build Number | Patch File |
---|---|---|
2023.0.0.3 | 23319 | server-handler-1.0-2023-0-0-3.jar |
2023.0.1.0 | 23332 | server-handler-1.0-2023-0-1-0.jar |
2023.0.2.0 | 23339 | server-handler-1.0-2023-0-2-0.jar |
Workarounds
If you are unable to upgrade to FME Flow 2023.1, or update to a new build of FME Flow 2023.0.3+ (b23340+) or FME Server 2022.2.8+ (b22802+), or apply the manual patch, we recommend FME Flow administrators take the following actions:
- Individually disable all existing Azure AD or SAML user accounts on the system.
- Disable Azure AD and SAML, to prevent new Azure AD or SAML user accounts from being created. New Azure AD and SAML accounts that are created will still be susceptible to the vulnerability until the above step is applied to them.
Reporting Security Issues
If you believe you have discovered a vulnerability in the FME Platform, our website, or our other products, please email us as quickly as possible at security at safe dot com.
We greatly appreciate the efforts of security researchers and discoverers who share information on security issues with us, giving us a chance to improve our products and better protect our users.
Please note that we do not compensate individuals or organizations for identifying potential or confirmed security vulnerabilities.
Support
If you have questions or concerns regarding this advisory, please raise a support request.
Comments
0 comments
Please sign in to leave a comment.