Skip to main content

Does the latest version of FME Server use Apache Tomcat versions 7.0.94, 8.5.40, 9.0.19 or later ? Our security monitors alerted us to the following Critical vulnerability. See https://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-cve-2019-0232-a-remote-code-execution-vulnerability-in-apache-tomcat/

Thanks

Hi @softwrite1,

Safe Software are aware of this vulnerability which involves Apache Tomcat’s Common Gateway Interface (CGI) Servlet. FME Server 2019 uses version 8.5.32 and also does not use the CGI protocol so this should not be an issue for our users.

You can confirm this by reviewing your tomcat web.xml and searching for 'CGIServlet' and you should see this is disabled by default.


Hi @hollyatsafe,

 

Another Tomcat vulnerability on recent Tomcat versions -

https://thehackernews.com/2020/02/ghostcat-new-high-risk-vulnerability.html

https://www.chaitin.cn/en/ghostcat

 

Any updates on this please? Thanks!


Hi @hollyatsafe,

 

Another Tomcat vulnerability on recent Tomcat versions -

https://thehackernews.com/2020/02/ghostcat-new-high-risk-vulnerability.html

https://www.chaitin.cn/en/ghostcat

 

Any updates on this please? Thanks!

Hi @fmeuser_gc, our team is actively looking into the issue you have highlighted and we will provide an update regarding any mitigation or action required.


Hi @fmeuser_gc, our team is actively looking into the issue you have highlighted and we will provide an update regarding any mitigation or action required.

We have determined that the AJP Connector is not required for FME Server processes. Before we release any product updates we will run this change internally against our full test suite.

You might consider implementing the suggestions from the article(s) you have linked above if you have more immediate concerns.

We will post content to the FME Community after we analyze the results of internal testing.

If you need updates in a more timely fashion, or have additional questions or concerns, please reach out to our Support Team.


Hi @hollyatsafe,

 

Another Tomcat vulnerability on recent Tomcat versions -

https://thehackernews.com/2020/02/ghostcat-new-high-risk-vulnerability.html

https://www.chaitin.cn/en/ghostcat

 

Any updates on this please? Thanks!

Update on this Tomcat Vulnerability - The solution here is either to upgrade Tomcat to latest version or disable AJP connector in server.xml file.


We have determined that the AJP Connector is not required for FME Server processes. Before we release any product updates we will run this change internally against our full test suite.

You might consider implementing the suggestions from the article(s) you have linked above if you have more immediate concerns.

We will post content to the FME Community after we analyze the results of internal testing.

If you need updates in a more timely fashion, or have additional questions or concerns, please reach out to our Support Team.

Hi @rylanatsafe, the confusion here was the AJP connector was enabled (by default) though it's not needed. We've disabled it now and looks okay.


Update on this Tomcat Vulnerability - The solution here is either to upgrade Tomcat to latest version or disable AJP connector in server.xml file.

@fmeuser_gc You are correct on both accounts! We plan to publish an article detailing how FME Server admins can disable the AJP Connector for their existing installations. We will disable this component in the product, and will schedule a Tomcat upgrade (as you note, where it's disabled by default now).

There were no issues observed after our internal testing.


@fmeuser_gc You are correct on both accounts! We plan to publish an article detailing how FME Server admins can disable the AJP Connector for their existing installations. We will disable this component in the product, and will schedule a Tomcat upgrade (as you note, where it's disabled by default now).

There were no issues observed after our internal testing.

Just an FYI that I did an install of 2020.0.0.1-b20202-win-x64 that still has the AJP connector enabled. It looks like this is not disabled by default until 9.0.31, 9.0.24 is what was installed with the default windows install. Commenting out the AJP connector doesn't seem to affect anything.


Just an FYI that I did an install of 2020.0.0.1-b20202-win-x64 that still has the AJP connector enabled. It looks like this is not disabled by default until 9.0.31, 9.0.24 is what was installed with the default windows install. Commenting out the AJP connector doesn't seem to affect anything.

Hi @jeovis, the AJP Connector will be disabled by default in the next minor update of FME Server 2020.0.

As you have noticed it doesn't affect anything – we do not use this component with FME Server.

 

 

Edited to specify FME Server 2020.0.

@rylanatsafe Hi, we are running FME Server 2019.2.1 Build 19813 - win32 . Can we safely upgrade tomcat to version 9.0.31 without upgrading the FME server?

Is the article regarding disable the AJP connector already available?

Kind regards

Francis


@rylanatsafe Hi, we are running FME Server 2019.2.1 Build 19813 - win32 . Can we safely upgrade tomcat to version 9.0.31 without upgrading the FME server?

Is the article regarding disable the AJP connector already available?

Kind regards

Francis

Hi @fbulco, I'm sorry that we haven't posted this information more generally yet. The fix for the AJP Connector is simple enough that you can comment out the following lines in <FMEServerDir>\Utilities\tomcat\conf\server.xml 

<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

We have not used this Connector in any FME Server processes.

 

As for upgrading Tomcat, we have performed extensive testing with Tomcat 9.0.24, so while there are no known issues with 9.0.31, please note that it has not been included in our standard test coverage.

Hope that helps!


@jsarris, Yes, you can disable the AJP connector. There shouldn't be any impact.

FYI, this will be disabled by default from next versions.


Any users that come across this post looking for information on the AJP Connector vulnerability please see this article for more information.

 

 

If your security scan reports any other vulnerabilities with FME Server, please contact Safe Software Support with the CVE numbers so that we can investigate these for you.

Reply