+12Today we saw this broadcast message from Safe Software on our FME Flow servers (2023.2.2):
The link in the message is not working and I do not see any recent security issues.
We have only external ports configured for dynamic engines and licenses. The FME Flow instance is not accesible from outside out network.
I find a strange that they can create broadcast messages on our servers.
That is all a bit suspicious, is anyone else experiencing the same?
Best answer by luke.hicks
Hello Francis,
Thank you for bringing this to our attention, and we sincerely apologize for the inconvenience caused. The article link referenced in our earlier notification was not live at the time the message was sent. We understand how this may have caused some confusion.
The article has now been published, and you can access it here: https://support.safe.com/hc/en-us/articles/31265482270349-Security-Update-FME-Flow-Privelege-Escalation-Vulnerability
Please note that you will need to be logged in to view this article.
If you have any further questions or require additional clarification, please don't hesitate to reach out. We appreciate your patience and understanding as we work to provide timely updates and information.
Thank you for your continued trust in Safe Software.
+20Yes, I see that too. No, I don’t think it is suspicious, and I don’t think it is a broadcast message: I think it is FME Flow checking in with Safe, so the other way around: pull instead of push.
So
The FME Flow instance is not accesible from outside out network.
as long as FME Flow can access the internet, you would see this. It does not need to be accessible from the outside for something like this.
I’ve also received the warning about this security problem through other channels, so the warning is legit. It would be nice if someone from Safe can confirm that these warnings are pull instead of push, since I’m not 100% sure, but it did not surprise me at all this morning. I’m 99.9% sure that it is pull instead of push.
+44I’m assuming partner announcements are only available for partners and the original url link is also not accessible
So still in the dark here
It seems that Safe released the article without proper permissions, even partners can’t access it at the moment. I’m sure it’ll be fixed relatively soon.
Regarding the broadcast message, my understanding is that it’s FME Core itself that polls a message API at Safe to check for new broadcast messages. Safe does not push messages to your servers.
+23Fyi:
FME Flow is pulling these broadcast messages from Safe, if the system is allowed to do http requests to the internet (via proxy).
You’ll see the messages in your “core_fmeconfiguration.log” logfile, and as far as i can see, a check happens every 12 hours:
Tue-17-Dec-2024 11:32:23.853 AM INFORM broadcast-check-1 411201 : Checking broadcast system for system messages.
Tue-17-Dec-2024 11:32:24.518 AM INFORM broadcast-check-1 411206 : Broadcast system check complete.So it can take up to 12 hours for the message beeing visible.
I’ll also add that you can disable individual broadcast messages under System Configuration / Broadcast Messages. You can also manually add your own messages to alert other users about e.g. maintenance.
+10Hello Francis,
Thank you for bringing this to our attention, and we sincerely apologize for the inconvenience caused. The article link referenced in our earlier notification was not live at the time the message was sent. We understand how this may have caused some confusion.
The article has now been published, and you can access it here: https://support.safe.com/hc/en-us/articles/31265482270349-Security-Update-FME-Flow-Privelege-Escalation-Vulnerability
Please note that you will need to be logged in to view this article.
If you have any further questions or require additional clarification, please don't hesitate to reach out. We appreciate your patience and understanding as we work to provide timely updates and information.
Thank you for your continued trust in Safe Software.
