Apache Log4j Vulnerability: Is FME Impacted?

Laura Wu
Laura Wu
  • Updated

Although FME is not impacted, out of an abundance of caution, we have upgraded the components of log4j to version 2.17.1 in FME 2021.2.2 and newer. You can find the latest version to download here

 

Summary Table

CVE Number Product Impact Action
CVE-2021-44228 FME Desktop 2020.x and older do not contain the affected log4j versions.
2021.x and newer are not susceptible to this vulnerability, but it is safe to upgrade the log4j files shipped to a newer version following the instructions detailed below. 
FME License Server The installer does not ship any log4j files.
FME Server 2019.x and older do not contain the affected log4j versions. 
2020.x does contain one instance of the affected log4j version in the Web Application api4v folder. However, we are confident that it is not vulnerable because we do not actively use it for logging.
2021.x and newer contain multiple instances of the log4j. However, we are not susceptible to this vulnerability, because we do not actively use it for logging.
The log4j files shipped can be safely upgraded to a newer version following the instructions detailed below. 
CVE-2021-45046 FME Server We are not susceptible to this vulnerability, but it is safe to upgrade the log4j files shipped to a newer version following the instructions detailed below.
CVE-2021-45105 FME Server We are not susceptible to this vulnerability, but it is safe to upgrade the log4j files shipped to a newer version following the instructions detailed below.
CVE-2021-44832 FME Server The instructions in the article outline how to upgrade log4j to 2.17.1 which has been tested and confirmed safe by our developers.
CVE-2021-4104 FME Desktop Log4j-1.x is present in the installation for FME Desktop 2020.2 and older. To the best of our knowledge, FME Desktop 2020.x and older are not susceptible to CVE-2021-4104 as we don’t allow the log4j configuration to be tweaked in the way required to exploit the vulnerability. 
FME Server Log4j-1.x is present in the installation for FME Server 2020.2 and older. FME Server is not susceptible to CVE-2021-4104 because it does not use JNDI in its configuration for log4j.

 

FME Desktop

Our team has reviewed the recent CVE report against log4j 2.x and to the best of our knowledge, FME Desktop 2021.x is not impacted by the vulnerability as described in CVE-2021-44228. Out of an abundance of caution, we have upgraded the component for FME Desktop 2021.2.2 and newer.

We do not have concerns for FME 2020.x and prior, as they do not contain the vulnerable log4j versions described in CVE-2021-44228. 

We do recommend that customers upgrade to the version of FME with the log4j upgrade when it becomes available. 
For FME 2021.x and newer: If there is concern regarding the version of FME Desktop you are using, you can remove the risk of vulnerability by:

 

FME License Server (FlexLM)

Our team has reviewed the recent CVE report again log4j 2.x, and all versions of FME License Server (using FlexLM/FlexNet Publisher) are not susceptible to the vulnerability as described in CVE-2021-44228. The FME License Server installation does not include any log4j related files.

 

FME Server

Our team has reviewed the recent CVE reported against log4j 2.x and we are confident that our implementation is not susceptible to the vulnerability described as CVE-2021-44228 as all of our FME Server logging is using a proprietary internal class that is not affected. Out of an abundance of caution, we have upgraded the component for FME Server 2021.2.2 and newer.

FME Server 2020.x and newer do contain instances of the affected log4j versions however, we are confident that it is not vulnerable because we do not actively use it for logging. FME Server 2019.x and older do not contain the vulnerable log4j versions described in CVE-2021-44228. 

If there is concern regarding the presence of Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.17.0 in FME Server, you can remove the risk of vulnerability by performing the following steps (make backups of these files before making these replacements):

  1. Download the following log4j 2.17.1 files:
    1. Maven Repository: org.apache.logging.log4j » log4j-jcl » 2.17.1 (FME 2021.2 +)
    2. Maven Repository: org.apache.logging.log4j » log4j-core » 2.17.1 (FME 2021.0 +)
    3. Maven Repository: org.apache.logging.log4j » log4j-api » 2.17.1 (FME 2020.0 +)
    4. Maven Repository: org.apache.logging.log4j » log4j-to-slf4j » 2.17.1 (FME 2020.0 +)
    5. Maven Repository: org.apache.logging.log4j » log4j-slf4j-impl » 2.17.1 (FME 2021.0 +)
  2. Stop the FME Server Services
  3. In <FMEServerInstall>/Utilities/tomcat/webapps/fmeapiv4/WEB-INF/lib/ replace the following two files with the new versions:
    1. log4j-api-*.jar
    2. log4j-to-slf4j-*.jar
  4. FME Server 2021.x only (these files are not present in 2020.x): In <FMEServerInstall>/Utilities/tomcat/webapps/fmerest/WEB-INF/lib/ replace the following three files with the new versions:
    1. log4j-api-*.jar
    2. log4j-core-*.jar
    3. log4j-slf4j-impl-*.jar
  5. FME Server 2021.2 only (this folder does not exist in 2021.1 and 2021.0): In <FMEServerInstall>/Utilities/tomcat/webapps/fmesso/WEB-INF/lib/ replace the following two files with the new versions:
    1. log4j-api-*.jar
    2. log4j-to-slf4j-*.jar
  6. In <FMEServerInstall>/Server/lib/ replace the following 4 files with the new versions:
    1. log4j-api-*.jar
    2. log4j-core-*.jar
    3. log4j-jcl-*.jar
    4. log4j-slf4j-impl-*.jar
  7. In <FMEServerInstall>/Server/fme/plugins replace the following 4 files with the new versions: 
    1. log4j-api-*.jar
    2. log4j-core-*.jar
    3. log4j-jcl-*.jar
    4. log4j-slf4j-impl-*.jar
  8. Restart the FME Server Services


Note: if you use distributed engines installed on hosts separate from your FME Server Core, you will need to repeat step 7 on each engine machine.


FME Server .war files

Once FME Server is installed the .war files located in <FMEServerInstall>/Utilities/tomcat/ can be deleted to prevent security scanners from flagging the presence of vulnerable log4j files within these files. In order to delete the affected .war files you must first stop the FME Server Application Server service or else corresponding folders in tomcat will be automatically deleted as well. Once the files have been deleted then restart the service.
 

FAQ

Can I upgrade log4j used in FME Desktop and FME Server myself? 

Yes, please see the instructions above for either FME Desktop or FME Server

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.