Skip to main content

A serious security alert (CVE-2022-21724) was announced for the PostgreSQL JDBC driver on February 2, 2022. We need to upgrade PostgresSQL JDBC driver to 42.2.25 and above to remediate it.

 

We have identified total 4 PostgresSQL JDBC drivers in FME Server and FME Desktop:

>FME Server Root]\\Utilities\\tomcat\\lib\\postgresql-42.2.24.jar

>FME Server Root]\\Utilities\\jdbc\\postgresql-42.2.24.jar

>FME Server Root]\\Server\\fme\\plugins\\postgresql-42.2.16.jar

>FME Desktop Root]\\FME\\plugins\\postgresql-42.2.16.jar

 

Is there any patch available to remediate this vulnerability in those products? Or can we just replace those drivers with the required version?

Thanks for posting this question.

What version of FME Server & Desktop are in play here?


I have personally tested newer versions of the Postgres JDBC Drivers with the FME Server System Database (on Postgres), but I've not tested the Engine with the newer version of the JDBC for the Postgres format.

My suggestion for FME Server is to test in a Dev environment (tomcat & jdbc locations)...

 

If you know your team makes use of the Postgres Format (JDBC) in the workspaces, then you'll also want to replace the file in the 'plugins' folder for both Server and Desktop test the format in a workspace.

 

I'm going to run a few tests and report back, but these wont' be 'official' product tests that FME would go through in our testsuite.

 

Likely we can get this driver updated for FME 2022.x.


I got around to doing a quick test using FME Server 2020.2.2 with the postgresql-42.2.25.jar version and all seemed well.

I tested the JDBC format in FME Desktop (JDBC Reader/Writer & SQLCreator). I ran this workspace on FME Server. I also updated the drivers found in FMEServer/Utilities/jdbc & lib and restarted FME Server and did some basic tests in the Web UI. All seems well.

 

We will be doing more in-depth testing with FME 2022 and likely the driver will be updated.

 

If you have more concerns please reach out or create a case with Safe Software Support.


@steveatsafe​  Thanks for your response and testing! Our FME Server & Desktop are both 2021.2. Please keep me posted if you have more findings. Thanks a lot!


Reply