FME Version
Known Issue IDs | FMEFORM-28748 FMEFORM-28749 FMEFORM-28750 |
---|---|
CVE | Pending |
Discovered | 2023.0.0.1 |
Affects | All FME Form 2023.0 and FME Desktop* 2022.2 and prior versions |
Resolved | Remediation in progress; see available workarounds. |
*FME Desktop was renamed to FME Form for FME 2023.0
We have not identified active exploitation of this vulnerability in any of our products.
Symptom
Encryption weaknesses in FME Form (formerly FME Desktop) could be abused by an adversary to decrypt data and gain unauthorized access to a connected FME Flow (formerly FME Server) instance and other integrated systems.
Cause
An attacker with access to the user profile on the client machine could reverse engineer cryptographic functions to decrypt sensitive data, such as credentials.
Severity
Safe Software assesses the severity of this vulnerability as Medium, according to our calculated CVSS score of 6.5. This is our assessment, and you should evaluate its applicability to your own IT environment.
Workarounds
At this time, we recommend the following workarounds. Each workaround individually prevents the current attack vector and are complementary.
- Upgrade to FME Form 2023.1+, and delete the Java Key Store Files. This version no longer ships the Java libraries and allows deletion of the Java Key Store Files without issues.
- To find the Java key store in FME 2023.1+ , go to Tools > FME Options > Default Paths, where you should see the location of the FME Key Store Files, and where the Java Key Store Files (ending in .jceks) are also located. Do not delete the FME Key Store Files (ending in .fmeks).
- Configure FME to password protect the key store files.
- Administrators can migrate the key store location to a directory requiring escalated privilege or restrict permissions on the file (e.g. change the permissions to ‘just me’).
Will I be notified when the fixed release is available?
You may subscribe to our mailing list to be notified when new downloads are available on our Downloads page, and this article will be updated accordingly.
Recognition
We would like to thank Malware Security for making this responsible disclosure and recognize their contribution to increasing the security standard of the FME Platform.
Reporting Security Issues
If you believe you have discovered a vulnerability in the FME Platform, our website, or our other products, please email us as quickly as possible at security at safe dot com.
We greatly appreciate the efforts of security researchers and discoverers who share information on security issues with us, giving us a chance to improve our products and better protect our users.
Please note that we do not compensate individuals or organizations for identifying potential or confirmed security vulnerabilities.
Support
If you have questions or concerns regarding this advisory, please raise a support request.
Comments
0 comments
Please sign in to leave a comment.