FME Server 2019 Security Update

Liz Sanderson
Liz Sanderson
  • Updated

Issue

A critical security vulnerability has been discovered that affects any FME Server 2019 installation with Active Directory configured. We strongly recommend that all affected users upgrade or patch as soon as possible.


Versions Affected

FME Server 2019.0

  • 2019.0 Build 19115 to 2019.0.2.1 Build 19263

FME Server 2019.1

  • 2019.1 Build 19500 to 2019.1.3 Build 19642

FME Server 2019.2 Beta and 2020.0 Beta

  • 2019.2 (Beta) Build 19700 to Build 19788
  • 2020.0 (Beta) Build 20000 to Build 20108


Resolution

Option 1: Upgrade FME Server

Installers for all versions of FME Server 2019 have been updated, and are available from the Downloads Page.


Option 2: Patch an Existing Installation

Note: This is option is not available for FME Cloud users.

The resolution for this issue does not require reinstallation. An FME Server administrator may instead download the server-handler.jar attached to this article and follow the steps below.

FME Server 2019.0 to 2019.0.2.1

Note: The patched version for this instruction is attached as server-handler-2019-0.jar.zip

server-handler-2019-0.jar.zip

  1. Stop FME Server

    1. Windows: Start → FME Server → Stop FME Server

    2. Linux: Run stopServer.sh

  2. Move server-handler.jar to a safe backup location, and move patched version in its place (Note: The original server-handler.jar should be moved outside of Server\lib)

    1. Windows: Default location is C:\Program Files\FMEServer\Server\lib\server-handler.jar

    2. Linux: Default location is /opt/fmeserver/Server/lib/server-handler.jar

  3. Restart FME Server

    1. Windows: Start → FME Server → Start FME Server

    2. Linux: Run startServer.sh


FME Server 2019.1 to 2019.1.3

Note: The patched version for this instruction is attached as server-handler-2019-1.jar.zip

server-handler-2019-1.jar.zip

  1. Stop FME Server

    1. Windows: Start → FME Server → Stop FME Server

    2. Linux: Run stopServer.sh

  2. Move server-handler.jar to a safe backup location, and move patched version in its place (Note: The original server-handler.jar should be moved outside of Server\lib)

    1. Windows: Default location is C:\Program Files\FMEServer\Server\lib\server-handler.jar

    2. Linux: Default location /opt/fmeserver/Server/lib/server-handler.jar

  3. Restart FME Server

    1. Windows: Start → FME Server → Start FME Server

    2. Linux: Run startServer.sh


FME Server 2019.2 Beta and 2020.0 Beta

It is recommended to reinstall the latest version of FME Server 2019.2 Beta or FME Server 2020.0 Beta.


Frequently Asked Questions

Q: Does this affect any other process or workflows in FME Server?
A: No. This issue is only related to the authentication and authorization of Active Directory user accounts that have been imported into FME Server.

Q: Do I need to upgrade to apply the patch for distributed FME Engines?
A: Yes. An upgrade is required, or replacement of server-handler.jar by following the patching instructions.

Q: I have installed the patch, or I have verified the security issue is not applicable to my installation – can I stop the 'Important System Message' from displaying? [Update] The 'Important System Message' was disabled on December 23, 2019 at 12:00AM GMT.
A: Yes, while we recommend a full upgrade, we do have a workaround available:

Step 1. Open the propertiesFile.properties file for editing. This file is found in the Tomcat webapps folder: <FMEServer>\Utilities\tomcat\webapps\fmeserver\WEB-INF\conf\propertiesFile.properties
Step 2. Locate the BUILD_STRING parameter.
Step 3. Add " - patch1" (without quotes) to the end of the BUILD_STRING value. Please note that there is a leading space character before and after the dash character. (Example: FME Server 2019.1.3 - Build 19642 - win64 - patch1)
Step 4. Restart FME Server.



If you need assistance with either resolution or have any further questions, comments, or concerns, please contact Safe Software Support.

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.