Files
Issue
A critical security vulnerability has been discovered that affects any FME Server 2019 installation with Active Directory configured. We strongly recommend that all affected users upgrade or patch as soon as possible.
Versions Affected
FME Server 2019.0
- 2019.0 Build 19115 to 2019.0.2.1 Build 19263
FME Server 2019.1
- 2019.1 Build 19500 to 2019.1.3 Build 19642
FME Server 2019.2 Beta and 2020.0 Beta
- 2019.2 (Beta) Build 19700 to Build 19788
- 2020.0 (Beta) Build 20000 to Build 20108
Resolution
Option 1: Upgrade FME Server
Installers for all versions of FME Server 2019 have been updated, and are available from the Downloads Page.
Option 2: Patch an Existing Installation
Note: This is option is not available for FME Cloud users.
The resolution for this issue does not require reinstallation. An FME Server administrator may instead download the server-handler.jar attached to this article and follow the steps below.
FME Server 2019.0 to 2019.0.2.1
Note: The patched version for this instruction is attached as server-handler-2019-0.jar.zip
server-handler-2019-0.jar.zip
Stop FME Server
Windows: Start → FME Server → Stop FME Server
Linux: Run stopServer.sh
Move server-handler.jar to a safe backup location, and move patched version in its place (Note: The original server-handler.jar should be moved outside of Server\lib)
Windows: Default location is C:\Program Files\FMEServer\Server\lib\server-handler.jar
Linux: Default location is /opt/fmeserver/Server/lib/server-handler.jar
Restart FME Server
Windows: Start → FME Server → Start FME Server
Linux: Run startServer.sh
FME Server 2019.1 to 2019.1.3
Note: The patched version for this instruction is attached as server-handler-2019-1.jar.zip
server-handler-2019-1.jar.zip
Stop FME Server
Windows: Start → FME Server → Stop FME Server
Linux: Run stopServer.sh
Move server-handler.jar to a safe backup location, and move patched version in its place (Note: The original server-handler.jar should be moved outside of Server\lib)
Windows: Default location is C:\Program Files\FMEServer\Server\lib\server-handler.jar
Linux: Default location /opt/fmeserver/Server/lib/server-handler.jar
Restart FME Server
Windows: Start → FME Server → Start FME Server
Linux: Run startServer.sh
FME Server 2019.2 Beta and 2020.0 Beta
It is recommended to reinstall the latest version of FME Server 2019.2 Beta or FME Server 2020.0 Beta.
Frequently Asked Questions
Q: Does this affect any other process or workflows in FME Server?
A: No. This issue is only related to the authentication and authorization of Active Directory user accounts that have been imported into FME Server.
Q: Do I need to upgrade to apply the patch for distributed FME Engines?
A: Yes. An upgrade is required, or replacement of server-handler.jar by following the patching instructions.
Q: I have installed the patch, or I have verified the security issue is not applicable to my installation – can I stop the 'Important System Message' from displaying? [Update] The 'Important System Message' was disabled on December 23, 2019 at 12:00AM GMT.
A: Yes, while we recommend a full upgrade, we do have a workaround available:
Step 1. Open the propertiesFile.properties file for editing. This file is found in the Tomcat webapps folder: <FMEServer>\Utilities\tomcat\webapps\fmeserver\WEB-INF\conf\propertiesFile.properties
Step 2. Locate the BUILD_STRING parameter.
Step 3. Add " - patch1" (without quotes) to the end of the BUILD_STRING value. Please note that there is a leading space character before and after the dash character. (Example: FME Server 2019.1.3 - Build 19642 - win64 - patch1)
Step 4. Restart FME Server.
If you need assistance with either resolution or have any further questions, comments, or concerns, please contact Safe Software Support.
Comments
0 comments
Please sign in to leave a comment.