Skip to main content

Hey all, seems a new vulnerability is currently being exploited across the wider network.

 

From what @Todd Davis​ and myself have determined, it seems it will effect FME Server. 

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/

 

Further investigation seems to show that FME Server 2021.1 and on wards contain 2.13. Versions post 2.10 can include the following parameter to mitigate the exploit:

‐Dlog4j2.formatMsgNoLookups=True

 

https://www.zdnet.com/article/security-warning-new-zero-day-in-the-log4j-java-library-is-already-being-exploited/

Hi Hamish. Our developers did investigate and we are confident that FME is not susceptible to this vulnerability. All of our FME Server logging is done using our own internal code, not log4j.

 

That component is in FME Server (I'm not sure why; perhaps it is part of a package or we use it for something different) so we'll update it anyway. But whatever it's for, that particular vulnerability won't affect us.


We have received a number of additional questions and we will update the article we have posted.

https://community.safe.com/s/article/Is-FME-Server-Affected-by-the-Security-Vulnerability-Reported-Against-log4j

 

If you have any additional concerns, that have not been raised by others in the FME community (i.e. posted as comments to that article or this Q&A posting), please let us know.


Thanks @rylanatsafe​  and @mark2atsafe​ 


Reply