Spring4Shell Vulnerability: Is FME Impacted?

Laura Wu
Laura Wu
  • Updated

Summary

CVE NumberProductImpact

CVE-2022-22965 

(Spring4Shell)

FME DesktopNot affected
FME ServerNot affected*
FME CloudNot affected
FME Mobile AppsNot affected
FME License Server (FlexLM)Not affected
CVE-2022-22963FME DesktopNot affected
FME ServerNot affected
FME CloudNot affected
FME Mobile AppsNot affected
FME License Server (FlexLM)Not affected
CVE-2022-22950FME DesktopNot affected
FME ServerNot affected
FME CloudNot affected
FME Mobile AppsNot affected
FME License Server (FlexLM)Not affected
 

FME Desktop

FME Desktop/Engine installations do not include the Spring Framework, therefore no version of FME Desktop or Engine is affected by any reported vulnerabilities in the framework.

FME Server

Spring4Shell (CVE-2022-22965): FME Server installations include the Spring Framework, but uses JDK version 8, and therefore does not meet the requirements to be affected by this vulnerability.

*Customers who have installed their own version of Tomcat and manually upgraded to JDK versions 9+ may be vulnerable to Spring4Shell. If you have done this, to mitigate this vulnerability it is recommended you: 

  • Downgrade to JDK8
  • Upgrade Tomcat to 9.0.62+
CVE-2022-22963: FME Server installations do not include Spring Cloud modules, therefore no version of FME Server is affected by this vulnerability. 

CVE-2022-22950: We currently do not process SpEL expressions in our REST API, therefore no version of FME Server is affected by this vulnerability.

FME Cloud

The FME Cloud application is not affected as it does not run Java or use the Spring Framework. FME Server instances are not affected by CVE-2022-22965, CVE-2022-22963, or CVE-2022-22950.

FME Mobile Apps

The FME AR and FME Data Express mobile applications (iOS and Android) do not include the Spring Framework, therefore no version of these mobile applications is affected by any reported vulnerabilities in the framework.

FME License Server (FlexLM)

No Java is used within FlexLM (both client and server), therefore FlexLM is not affected by any reported vulnerabilities in the Spring Framework.
 

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.