Skip to main content
Solved

How to remediate CVE-2022-21724 in FME Server and FME Desktop?

  • May 12, 2022
  • 4 replies
  • 93 views
J

A serious security alert (CVE-2022-21724) was announced for the PostgreSQL JDBC driver on February 2, 2022. We need to upgrade PostgresSQL JDBC driver to 42.2.25 and above to remediate it.

 

We have identified total 4 PostgresSQL JDBC drivers in FME Server and FME Desktop:

[FME Server Root]\\Utilities\\tomcat\\lib\\postgresql-42.2.24.jar

[FME Server Root]\\Utilities\\jdbc\\postgresql-42.2.24.jar

[FME Server Root]\\Server\\fme\\plugins\\postgresql-42.2.16.jar

[FME Desktop Root]\\FME\\plugins\\postgresql-42.2.16.jar

 

Is there any patch available to remediate this vulnerability in those products? Or can we just replace those drivers with the required version?

Best answer by steveatsafe

I got around to doing a quick test using FME Server 2020.2.2 with the postgresql-42.2.25.jar version and all seemed well.

I tested the JDBC format in FME Desktop (JDBC Reader/Writer & SQLCreator). I ran this workspace on FME Server. I also updated the drivers found in FMEServer/Utilities/jdbc & lib and restarted FME Server and did some basic tests in the Web UI. All seems well.

 

We will be doing more in-depth testing with FME 2022 and likely the driver will be updated.

 

If you have more concerns please reach out or create a case with Safe Software Support.

This post is closed to further activity.
It may be an old question, an answered question, an implemented idea, or a notification-only post.
Please check post dates before relying on any information in a question or answer.
For follow-up or related questions, please post a new question or idea.
If there is a genuine update to be made, please contact us and request that the post is reopened.

4 replies

steveatsafe
Safer
Forum|alt.badge.img+13
  • steveatsafeSafer
  • Safer
  • 422 replies
  • May 12, 2022

Thanks for posting this question.

What version of FME Server & Desktop are in play here?

SteveatSafe
steveatsafe
Safer
Forum|alt.badge.img+13
  • steveatsafeSafer
  • Safer
  • 422 replies
  • May 12, 2022

I have personally tested newer versions of the Postgres JDBC Drivers with the FME Server System Database (on Postgres), but I've not tested the Engine with the newer version of the JDBC for the Postgres format.

My suggestion for FME Server is to test in a Dev environment (tomcat & jdbc locations)...

 

If you know your team makes use of the Postgres Format (JDBC) in the workspaces, then you'll also want to replace the file in the 'plugins' folder for both Server and Desktop test the format in a workspace.

 

I'm going to run a few tests and report back, but these wont' be 'official' product tests that FME would go through in our testsuite.

 

Likely we can get this driver updated for FME 2022.x.

SteveatSafe
steveatsafe
Safer
Forum|alt.badge.img+13
  • steveatsafeSafer
  • Safer
  • 422 replies
  • Best Answer
  • May 13, 2022

I got around to doing a quick test using FME Server 2020.2.2 with the postgresql-42.2.25.jar version and all seemed well.

I tested the JDBC format in FME Desktop (JDBC Reader/Writer & SQLCreator). I ran this workspace on FME Server. I also updated the drivers found in FMEServer/Utilities/jdbc & lib and restarted FME Server and did some basic tests in the Web UI. All seems well.

 

We will be doing more in-depth testing with FME 2022 and likely the driver will be updated.

 

If you have more concerns please reach out or create a case with Safe Software Support.

SteveatSafe
J
  • junwenwang
  • Author
  • 1 reply
  • May 13, 2022

@steveatsafe​  Thanks for your response and testing! Our FME Server & Desktop are both 2021.2. Please keep me posted if you have more findings. Thanks a lot!

Community Stats

32,107
Posts
121,905
Replies
39,752
Members

Latest FME

Terms & ConditionsCookie settingsAccessibility statement
A product of
Safe Software respectfully acknowledges that we live, learn and work on the traditional and unceded territories of the Kwantlen, Katzie, and Semiahmoo First Nations.