Introduction
Safe Software is aware of the vulnerability known as CVE-2023-4863 impacting the image library libwebp. This vulnerability was also previously disclosed as CVE-2023-5129, later marked as duplicate and discarded.
This article provides an overview of our analysis of this vulnerability and our mitigation advice for users. We will continuously update this article as we have new information to share.
Summary Table
Application | Version(s) Affected | Platform | Remediation | Workaround |
---|---|---|---|---|
FME Engine | All versions prior to 2023.1.1.1* | Windows macOS |
FME 2023.1.1.1+ (build 23636+) |
Remove the following files from FME:
metafile/webp.fmf |
FME Form | All versions prior to 2023.1.1.1* | Windows macOS |
FME 2023.1.1.1+ (build 23636+) |
See our best practices guidance for FME Form below |
FME Flow | FME Engine updates only required - see above | |||
FME Flow Hosted | Operating system updates only required | |||
FME Mobile Applications | Operating system updates only required | |||
FME License Server | Not affected |
* Per our Product Support Policy, only the current year’s release of FME will be assessed for security issues.
According to our assessment, we believe this vulnerability does not pose a significant risk to FME users, especially if the WebP format is not used. To reduce the risk of cyber attacks, it is the responsibility of users to exercise caution when opening links and processing data from untrusted sources, and when writing custom scripts embedded within FME workspaces.
FME Form
Impact:
All FME Form versions prior to 2023.1.1.1 on Windows and macOS are impacted through the inclusion of the impacted software component in the underlying FME Engine, as well as FME Form.
FME Form running on Linux is not affected if the underlying operating system is up to date.
Remediation:
If installed on Windows or macOS, upgrade to FME Form 2023.1.1.1+, where this issue has been resolved in the context of both the FME Form and FME Engine.
See the Downloads page for the latest version and our documentation for upgrading instructions for FME Form. If you need assistance upgrading, please follow your regular Support channels.
Workaround:
If you are unable to upgrade to FME Form 2023.1.1.1+ to mitigate the vulnerability in FME Engine, we recommend removing the following file from FME:
metafile/webp.fmf
Removing this file will prevent the Google WebP Reader/Writer from working.
In addition, we advise users to follow security best practices, such as:
- Avoid opening suspicious files, links, or FME Packages, especially those from unknown senders.
- Keep operating systems and web browsers updated with the latest security patches.
- Exercise caution when setting up new web connections from unknown sources.
- Exercise caution when writing custom scripts embedded within FME workspaces.
FME Flow
Impact:
All FME Flow versions prior to 2023.1.1.1* on Windows and macOS are impacted through the inclusion of the impacted software component in the underlying FME Engine.
FME Flow running on Linux is not affected if the underlying operating system is up to date.
Remediation:
If installed on Windows or macOS, upgrade to FME Flow 2023.1.1.1+, where this issue has been resolved. See the Downloads page for the latest version and our documentation for upgrading instructions for FME Flow. If you need assistance upgrading, please follow your regular Support channels.
Workaround:
If you are unable to upgrade to FME Flow 2023.1.1.1+ to mitigate the vulnerability in FME Engine, we recommend removing the following file from FME:
<installFolder>/Server/fme/metafile/webp.fmf
In the case of a distributed installation, these steps would need to be repeated on each machine where FME Flow Engines were installed.
Removing this file will prevent the Google WebP Reader/Writer from working.
FME Flow Hosted
Impact:
FME Flow Hosted instances are not impacted by this vulnerability if the underlying operating system is up to date, according to the Ubuntu security bulletin for CVE-2023-4863.
Remediation:
FME Flow Hosted users are advised to ensure their operating system of the instance is up to date. See our documentation for OS security update instructions for FME Flow Hosted.
FME Mobile Applications
Impact:
Users of FME Mobile and FME AR are not impacted by this vulnerability if they are running on an up-to-date version of Android or iOS/iPadOS.
Remediation:
FME Mobile and FME AR users are advised to ensure their mobile device is up to date according to the security bulletins from Android and Apple.
FME License Server
All versions of FME License Server (using FlexLM/FlexNet Publisher) are not affected by the vulnerability as described as CVE-2023-4863.
FAQ
Will I be notified when new releases are available?
Everyone is welcome to join our mailing list to be notified of new releases available by signing up via the form on our Downloads page.
How can I be notified of security updates in the future?
If you would like to be notified of security updates from Safe Software, we encourage you to subscribe to our Security Updates email list by signing up via the form on our Security page.
Reporting Security Issues
If you believe you have discovered a vulnerability in the FME Platform or our website, please email us as quickly as possible at security at safe dot com.
We greatly appreciate the efforts of security researchers and discoverers who share information on security issues with us, giving us a chance to improve our products and better protect our users. Please note that we do not compensate individuals or organizations for identifying potential or confirmed security vulnerabilities.
Support
If you have questions or concerns regarding this advisory, please raise a support request.
Comments
0 comments
Please sign in to leave a comment.