Symptom
A security scan of FME Server has reported a vulnerability with the AJP Connector in the Apache Tomcat component.
CVE-2020-1938 provides a detailed description of this vulnerability.
Cause
This vulnerability was found to affect Apache Tomcat versions 7.0.0 - 7.0.99, 8.5.0 - 8.5.50 and 9.0.0 - 9.0.30. FME Server uses Apache Tomcat as the Web Application Server installed by default meaning your system may be at risk of this vulnerability.
To check whether the version of Apache Tomcat used by your FME Server falls into this category please see this article.
Resolutions
Two resolutions are available:
1. Disable the AJP Connector
The AJP Connector is not used in any FME Server processes so can be safely disabled by commenting out the following line (~ line 130) in <FMEServerDir>\Utilities\tomcat\conf\server.xml and then restarting the FME Server Web Application Server to apply this change. The text highlighted in red is what needs to be added:
<!-- Define an AJP 1.3 Connector on port 8009 --> <!-- <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> -->
Note: Typically these vulnerabilities are identified by checking the component/library version, likely there wouldn’t be an in-depth check to see if there have been any efforts to remove or mitigate the risk of exploit. Therefore this version of Tomcat will always be flagged, regardless of what config changes are made.
2. Upgrade FME Server (or the Web Application Server)
If you are using FME 2020.0.1 b20204 or newer you should find this has already been disabled by default (commented out).
Apache Tomcat has been upgraded to 9.0.35 for FME 2020.1 b20559 and newer (where, by default, the AJP Connector is disabled).
If you would prefer you can provide your own Web Application Server however, please note that only the version FME Server has been shipped with is included in our standard test coverage.
If your security scan reports any other vulnerabilities with FME Server, please contact Safe Software Support with the CVE numbers so that we can investigate these for you.
Comments
0 comments
Please sign in to leave a comment.