Solved

How to remediate CVE-2022-21724 in FME Server and FME Desktop?

J

A serious security alert (CVE-2022-21724) was announced for the PostgreSQL JDBC driver on February 2, 2022. We need to upgrade PostgresSQL JDBC driver to 42.2.25 and above to remediate it.

 

We have identified total 4 PostgresSQL JDBC drivers in FME Server and FME Desktop:

[FME Server Root]\\Utilities\\tomcat\\lib\\postgresql-42.2.24.jar

[FME Server Root]\\Utilities\\jdbc\\postgresql-42.2.24.jar

[FME Server Root]\\Server\\fme\\plugins\\postgresql-42.2.16.jar

[FME Desktop Root]\\FME\\plugins\\postgresql-42.2.16.jar

 

Is there any patch available to remediate this vulnerability in those products? Or can we just replace those drivers with the required version?

icon

Best answer by steveatsafe 13 May 2022, 04:04

View original

4 replies

steveatsafe
Rank
Badge +11

Thanks for posting this question.

What version of FME Server & Desktop are in play here?

SteveatSafe
steveatsafe
Rank
Badge +11

I have personally tested newer versions of the Postgres JDBC Drivers with the FME Server System Database (on Postgres), but I've not tested the Engine with the newer version of the JDBC for the Postgres format.

My suggestion for FME Server is to test in a Dev environment (tomcat & jdbc locations)...

 

If you know your team makes use of the Postgres Format (JDBC) in the workspaces, then you'll also want to replace the file in the 'plugins' folder for both Server and Desktop test the format in a workspace.

 

I'm going to run a few tests and report back, but these wont' be 'official' product tests that FME would go through in our testsuite.

 

Likely we can get this driver updated for FME 2022.x.

SteveatSafe
steveatsafe
Rank
Badge +11

I got around to doing a quick test using FME Server 2020.2.2 with the postgresql-42.2.25.jar version and all seemed well.

I tested the JDBC format in FME Desktop (JDBC Reader/Writer & SQLCreator). I ran this workspace on FME Server. I also updated the drivers found in FMEServer/Utilities/jdbc & lib and restarted FME Server and did some basic tests in the Web UI. All seems well.

 

We will be doing more in-depth testing with FME 2022 and likely the driver will be updated.

 

If you have more concerns please reach out or create a case with Safe Software Support.

SteveatSafe
J

@steveatsafe​  Thanks for your response and testing! Our FME Server & Desktop are both 2021.2. Please keep me posted if you have more findings. Thanks a lot!

Reply


Community Stats

28,664
Posts
109,338
Replies
36,533
Members
Terms & ConditionsCookie settings
A product of
Safe Software respectfully acknowledges that we live, learn and work on the traditional and unceded territories of the Kwantlen, Katzie, and Semiahmoo First Nations.