Known Issue: FME Flow Apache Tomcat Vulnerability with X-Frame-Options header

Files

tester.jsp
- 293 Bytes
- Download

Known Issue ID	FMESERVER-10761
Feature	Apache Tomcat
Product	FME Flow (formerly FME Server)
Versions Affected	2025.0 2024.x 2023.x 2022.x 2021.x 2020.x 2019.x 2018.x
Status	Unresolved

Issue

A security scan has reported that FME Flow (formerly FME Server) does not utilize the X-Frame Options header, meaning an attacker can exploit vulnerabilities such as clickjacking.

Cause

Clickjacking is a technique used by malicious websites to trick a user into divulging confidential information by embedding the target website in an iframe. Check out OWASP to learn more about Clickjacking.

By default, FME Flow does not prevent clickjacking as this may disrupt legitimate uses of the web interface.

Workaround

To harden FME Flow against this vulnerability, you can enable the HTTP Header Security filter. This filter is built into FME Flow's Web Application Server (Tomcat) and, when enabled, instructs the user's browser to only allow pages of the same origin to be embedded or reject all embedding.

Download the attached tester.jsp file and place it in <FMEServerInstallDir>\Utilities\tomcat\webapps\ROOT
Open a web browser and navigate to http(s)://<FMEServerHost>/tester.jsp and you should now see your FME Flow login page embedded within a test page.
Run a text editor as an administrator and open web.xml, located in <FMEServerInstallDir>\Utilities\tomcat\conf
Search for <filter-name>httpHeaderSecurity</filter-name>. Two occurrences of this filter will be found; a filter and a filter-mapping element. Uncomment each of these by removing the <-- and --> symbols that are wrapped around the elements.
Add in the following antiClickJackingOption parameter with the value SAMEORIGIN underneath both the closing </filter> and </filter-mapping> tags.

      <init-param>
            <param-name>antiClickJackingOption</param-name>
            <param-value>SAMEORIGIN</param-value>
        </init-param>

6. Once complete this should look like:

Screen Shot 2021-07-08 at 3.17.32 PM.png

---

Screen Shot 2021-07-08 at 3.17.58 PM.png

7. Save the file and restart the FME Web Application Server Service to apply the changes.
8. In the browser return to http(s)://<FMEServerHost>/tester.jsp and login, this time you'll see a refused to connect error.

9. Go to <FMEServerInstallDir>\Utilities\tomcat\webapps\ROOT and delete the tester.jsp

Note: Once enabled the httpHeaderSecurity filter will use the default values for all the associated parameters to reject all embedding. These values are listed in the web.xml and if you are wanting other behaviour(e.g. all from same origin) these should be set in the XML accordingly. For more information on these parameters please see the Apache Tomcat Documentation on Container Provided Filters.

Comments

1 comment

Johannes Schwer
- October 25, 2024 09:36
Configuring X-Frame-Options with antiClickJackingOption=SAMEORIGIN (or custom origin) is not only a security issue but a necessity when activating Strict Transport Headers (HSTS) as described here Enabling HTTP Response Headers to Secure the FME Server Web Application Server – FME Support Center. Setting strict transport header implicitly activates antiClickJacking with antiClickJackingOption=DENY which breaks FME Flow Dashboards (Job History) since these dashboards are embeded as frames.

0

Please sign in to leave a comment.