Although FME is not impacted, out of an abundance of caution, we have upgraded the components of log4j to version 2.17.1 in FME 2021.2.2 and newer. You can find the latest version to download here.
Summary Table
CVE Number | Product | Impact Action |
---|---|---|
CVE-2021-44228 | FME Desktop | 2020.x and older do not contain the affected log4j versions. 2021.x and newer are not susceptible to this vulnerability, but it is safe to upgrade the log4j files shipped to a newer version following the instructions detailed below. |
FME License Server | The installer does not ship any log4j files. | |
FME Server | 2019.x and older do not contain the affected log4j versions. 2020.x does contain one instance of the affected log4j version in the Web Application api4v folder. However, we are confident that it is not vulnerable because we do not actively use it for logging. 2021.x and newer contain multiple instances of the log4j. However, we are not susceptible to this vulnerability, because we do not actively use it for logging. The log4j files shipped can be safely upgraded to a newer version following the instructions detailed below. |
|
CVE-2021-45046 | FME Server | We are not susceptible to this vulnerability, but it is safe to upgrade the log4j files shipped to a newer version following the instructions detailed below. |
CVE-2021-45105 | FME Server | We are not susceptible to this vulnerability, but it is safe to upgrade the log4j files shipped to a newer version following the instructions detailed below. |
CVE-2021-44832 | FME Server | The instructions in the article outline how to upgrade log4j to 2.17.1 which has been tested and confirmed safe by our developers. |
CVE-2021-4104 | FME Desktop | Log4j-1.x is present in the installation for FME Desktop 2020.2 and older. To the best of our knowledge, FME Desktop 2020.x and older are not susceptible to CVE-2021-4104 as we don’t allow the log4j configuration to be tweaked in the way required to exploit the vulnerability. |
FME Server | Log4j-1.x is present in the installation for FME Server 2020.2 and older. FME Server is not susceptible to CVE-2021-4104 because it does not use JNDI in its configuration for log4j. |
FME Desktop
Our team has reviewed the recent CVE report against log4j 2.x and to the best of our knowledge, FME Desktop 2021.x is not impacted by the vulnerability as described in CVE-2021-44228. Out of an abundance of caution, we have upgraded the component for FME Desktop 2021.2.2 and newer.
We do not have concerns for FME 2020.x and prior, as they do not contain the vulnerable log4j versions described in CVE-2021-44228.
We do recommend that customers upgrade to the version of FME with the log4j upgrade when it becomes available.
For FME 2021.x and newer: If there is concern regarding the version of FME Desktop you are using, you can remove the risk of vulnerability by:
- Deleting the log4j-*.jar files from the installation directory <install>/plugins/ or /Library/FME/<version>/plugins/ on macOS
- Note: In some cases, there will be warnings about reduced logging and some possibly useful logging will be lost
- Replacing the log4j-*.jar files from the installation directory <install>/plugins/ or /Library/FME/<version>/plugins/ on macOS with the following four 2.17.1 jars: (Our internal testing shows no apparent negative impact)
FME License Server (FlexLM)
Our team has reviewed the recent CVE report again log4j 2.x, and all versions of FME License Server (using FlexLM/FlexNet Publisher) are not susceptible to the vulnerability as described in CVE-2021-44228. The FME License Server installation does not include any log4j related files.
FME Server
Our team has reviewed the recent CVE reported against log4j 2.x and we are confident that our implementation is not susceptible to the vulnerability described as CVE-2021-44228 as all of our FME Server logging is using a proprietary internal class that is not affected. Out of an abundance of caution, we have upgraded the component for FME Server 2021.2.2 and newer.
FME Server 2020.x and newer do contain instances of the affected log4j versions however, we are confident that it is not vulnerable because we do not actively use it for logging. FME Server 2019.x and older do not contain the vulnerable log4j versions described in CVE-2021-44228.
If there is concern regarding the presence of Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.17.0 in FME Server, you can remove the risk of vulnerability by performing the following steps (make backups of these files before making these replacements):
- Download the following log4j 2.17.1 files:
- Maven Repository: org.apache.logging.log4j » log4j-jcl » 2.17.1 (FME 2021.2 +)
- Maven Repository: org.apache.logging.log4j » log4j-core » 2.17.1 (FME 2021.0 +)
- Maven Repository: org.apache.logging.log4j » log4j-api » 2.17.1 (FME 2020.0 +)
- Maven Repository: org.apache.logging.log4j » log4j-to-slf4j » 2.17.1 (FME 2020.0 +)
- Maven Repository: org.apache.logging.log4j » log4j-slf4j-impl » 2.17.1 (FME 2021.0 +)
- Stop the FME Server Services
- In <FMEServerInstall>/Utilities/tomcat/webapps/fmeapiv4/WEB-INF/lib/ replace the following two files with the new versions:
- log4j-api-*.jar
- log4j-to-slf4j-*.jar
-
FME Server 2021.x only (these files are not present in 2020.x): In <FMEServerInstall>/Utilities/tomcat/webapps/fmerest/WEB-INF/lib/ replace the following three files with the new versions:
- log4j-api-*.jar
- log4j-core-*.jar
- log4j-slf4j-impl-*.jar
-
FME Server 2021.2 only (this folder does not exist in 2021.1 and 2021.0): In <FMEServerInstall>/Utilities/tomcat/webapps/fmesso/WEB-INF/lib/ replace the following two files with the new versions:
- log4j-api-*.jar
- log4j-to-slf4j-*.jar
- In <FMEServerInstall>/Server/lib/ replace the following 4 files with the new versions:
- log4j-api-*.jar
- log4j-core-*.jar
- log4j-jcl-*.jar
- log4j-slf4j-impl-*.jar
- In <FMEServerInstall>/Server/fme/plugins replace the following 4 files with the new versions:
- log4j-api-*.jar
- log4j-core-*.jar
- log4j-jcl-*.jar
- log4j-slf4j-impl-*.jar
- Restart the FME Server Services
Note: if you use distributed engines installed on hosts separate from your FME Server Core, you will need to repeat step 7 on each engine machine.
FME Server .war files
Once FME Server is installed the .war files located in <FMEServerInstall>/Utilities/tomcat/ can be deleted to prevent security scanners from flagging the presence of vulnerable log4j files within these files. In order to delete the affected .war files you must first stop the FME Server Application Server service or else corresponding folders in tomcat will be automatically deleted as well. Once the files have been deleted then restart the service.
FAQ
Can I upgrade log4j used in FME Desktop and FME Server myself?
Yes, please see the instructions above for either FME Desktop or FME Server.
Comments
0 comments
Please sign in to leave a comment.