Skip to main content
  • EN

FME Flow 2023.2.1
Build 23774

 

I’m planning on upgrading FME Form / Flow this weekend which includes fixing the following vulnerabilities detected from our internal Pen Test.

 

USR-640 Email Servers Advertise Software Type and Version 

Removing the software banner from the email server is typically done in the configuration file, for example sendmail.cf or postfix.conf.

Is it possible to fix this and where would the file(s) be located?

What change should take place?

 

USR-622 HSTS Missing from HTTPS Server

Is it simply enough to add the following to the web.xml config file?

 

<!-- Enable HSTS   -->
<filter>
    <filter-name>httpHeaderSecurity</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    <init-param>
        <param-name>hstsEnabled</param-name>
        <param-value>true</param-value>
    </init-param>
    <init-param>
        <param-name>hstsMaxAgeSeconds</param-name>
        <param-value>31536000</param-value>
    </init-param>
    <init-param>
        <param-name>hstsIncludeSubDomains</param-name>
        <param-value>true</param-value>
    </init-param>
    <init-param>
        <param-name>hstsPreload</param-name>
        <param-value>true</param-value>
    </init-param>
    <init-param>
        <param-name>antiClickJackingOption</param-name>
        <param-value>ALLOW-FROM</param-value>
    </init-param>
    <init-param>
        <param-name>antiClickJackingUri</param-name>
        <param-value>https://OUR_PRIMARY_DOMAIN.HERE</param-value>
    </init-param>
    <async-supported>true</async-supported>
</filter>

<!-- Enable HSTS Filter  -->
<filter-mapping>
    <filter-name>httpHeaderSecurity</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
</filter-mapping>

 

I’m able to check if HSTS is enabled using my own PowerShell script thereafter as I did for my other servers. 

It’s probably a good idea to reach out to your local reseller/Safe to get some guidance on this in case there are any flow on effects of making these changes

It’s probably a good idea to reach out to your local reseller/Safe to get some guidance on this in case there are any flow on effects of making these changes

I don’t think there will be a knock on effect. HSTS should be fine and hiding software versions, creating custom error pages are common (Tomcat or any other web servers). I have custom error pages setup already on other Tomcat servers. That’s part of security hardening.

It’s is more about what works for FME Server.

I could have reached our reseller but it will most likely end up with Safe in any case. I might do that as well.

HSTS has now been enabled.

 

Closing this case

To close the loop I’m adding a link to the Sameer’s configuration and an article.
 


Thanks.

Reply


Community Stats

30,143
Posts
114,416
Replies
37,786
Members
Terms & ConditionsCookie settings
A product of
Safe Software respectfully acknowledges that we live, learn and work on the traditional and unceded territories of the Kwantlen, Katzie, and Semiahmoo First Nations.