The CVE seems to concern the possibility of a denial-of-service (DoS) attack.

Is your FME Flow instance openly reachable from the (public) Internet? If yes, it might indeed be an issue that needs adressing through an upgrade of your Flow instance. 

If the Flow instance is only reachable from within your local enterprise network, I wouldn’t really call this a major issue -- unless you suspect there might be malicious actors within your organisation.

Hi David,

Thanks for your reply.
At the moment the server is not openly reachable. But we want to change this.
When you mean upgrade Flow instance you mean upgrade Flow to 2024 or 2025?
Do you know the version of tomcat that's used in 2024 or 2025?
The vulnerability is addressed in tomcat 9.0.80.
I see also an option to update tomcat to an newer version.
https://support.safe.com/hc/en-us/articles/25407527726221-FME-Flow-Upgrade-Provide-your-own-version-of-Tomcat
 

Regards
Tibor

I would advice against updating Tomcat alone, unless you know what you’re doing. It’s probably much easier to simply upgrade FME Flow. At least that was the recommendation from Safe the last time I asked.

For Tomcat versions, see https://support.safe.com/hc/en-us/articles/25407796731917-Third-Party-Component-Versions-for-FME-Flow#h_01HWQNDPPQJ4FNB9W9WK42ZZ0P

Regarding opening access to your Flow instance to the general public, I would strongly advice you to put it behind some sort of WAF to mitigate exposure to known and unknown security issues.