+2Hi,
I get from our Security officer anmessage that there is an vulnerability dected on one of our servers.
This server is has FME Flow 2023.2.2 Build 23781 - win64 which depend on Apache Tomcat.
Can you tell me if there is an security risk? And how we can solve this?
Thread is registered under: CVE-2023-44487.
Thank you
The CVE seems to concern the possibility of a denial-of-service (DoS) attack.
Is your FME Flow instance openly reachable from the (public) Internet? If yes, it might indeed be an issue that needs adressing through an upgrade of your Flow instance.
If the Flow instance is only reachable from within your local enterprise network, I wouldn’t really call this a major issue -- unless you suspect there might be malicious actors within your organisation.
+2Hi David,
Thanks for your reply.
At the moment the server is not openly reachable. But we want to change this.
When you mean upgrade Flow instance you mean upgrade Flow to 2024 or 2025?
Do you know the version of tomcat that's used in 2024 or 2025?
The vulnerability is addressed in tomcat 9.0.80.
I see also an option to update tomcat to an newer version.
https://support.safe.com/hc/en-us/articles/25407527726221-FME-Flow-Upgrade-Provide-your-own-version-of-Tomcat
Regards
Tibor
I would advice against updating Tomcat alone, unless you know what you’re doing. It’s probably much easier to simply upgrade FME Flow. At least that was the recommendation from Safe the last time I asked.
For Tomcat versions, see https://support.safe.com/hc/en-us/articles/25407796731917-Third-Party-Component-Versions-for-FME-Flow#h_01HWQNDPPQJ4FNB9W9WK42ZZ0P
Regarding opening access to your Flow instance to the general public, I would strongly advice you to put it behind some sort of WAF to mitigate exposure to known and unknown security issues.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
