Skip to main content
Solved

How to remediate CVE-2022-21724 in FME Server and FME Desktop?

J

A serious security alert (CVE-2022-21724) was announced for the PostgreSQL JDBC driver on February 2, 2022. We need to upgrade PostgresSQL JDBC driver to 42.2.25 and above to remediate it.

 

We have identified total 4 PostgresSQL JDBC drivers in FME Server and FME Desktop:

[FME Server Root]\\Utilities\\tomcat\\lib\\postgresql-42.2.24.jar

[FME Server Root]\\Utilities\\jdbc\\postgresql-42.2.24.jar

[FME Server Root]\\Server\\fme\\plugins\\postgresql-42.2.16.jar

[FME Desktop Root]\\FME\\plugins\\postgresql-42.2.16.jar

 

Is there any patch available to remediate this vulnerability in those products? Or can we just replace those drivers with the required version?

Best answer by steveatsafe

I got around to doing a quick test using FME Server 2020.2.2 with the postgresql-42.2.25.jar version and all seemed well.

I tested the JDBC format in FME Desktop (JDBC Reader/Writer & SQLCreator). I ran this workspace on FME Server. I also updated the drivers found in FMEServer/Utilities/jdbc & lib and restarted FME Server and did some basic tests in the Web UI. All seems well.

 

We will be doing more in-depth testing with FME 2022 and likely the driver will be updated.

 

If you have more concerns please reach out or create a case with Safe Software Support.

View original
Did this help you find an answer to your question?

4 replies

steveatsafe
Safer
Forum|alt.badge.img+12

Thanks for posting this question.

What version of FME Server & Desktop are in play here?

SteveatSafe
steveatsafe
Safer
Forum|alt.badge.img+12

I have personally tested newer versions of the Postgres JDBC Drivers with the FME Server System Database (on Postgres), but I've not tested the Engine with the newer version of the JDBC for the Postgres format.

My suggestion for FME Server is to test in a Dev environment (tomcat & jdbc locations)...

 

If you know your team makes use of the Postgres Format (JDBC) in the workspaces, then you'll also want to replace the file in the 'plugins' folder for both Server and Desktop test the format in a workspace.

 

I'm going to run a few tests and report back, but these wont' be 'official' product tests that FME would go through in our testsuite.

 

Likely we can get this driver updated for FME 2022.x.

SteveatSafe
steveatsafe
Safer
Forum|alt.badge.img+12
  • steveatsafeSafer
  • Safer
  • Best Answer
  • May 13, 2022

I got around to doing a quick test using FME Server 2020.2.2 with the postgresql-42.2.25.jar version and all seemed well.

I tested the JDBC format in FME Desktop (JDBC Reader/Writer & SQLCreator). I ran this workspace on FME Server. I also updated the drivers found in FMEServer/Utilities/jdbc & lib and restarted FME Server and did some basic tests in the Web UI. All seems well.

 

We will be doing more in-depth testing with FME 2022 and likely the driver will be updated.

 

If you have more concerns please reach out or create a case with Safe Software Support.

SteveatSafe
J

@steveatsafe​  Thanks for your response and testing! Our FME Server & Desktop are both 2021.2. Please keep me posted if you have more findings. Thanks a lot!

Reply


Helpful Members This Week

Community Stats

31,105
Posts
117,928
Replies
38,858
Members

Latest FME

Terms & ConditionsCookie settings

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings
A product of
Safe Software respectfully acknowledges that we live, learn and work on the traditional and unceded territories of the Kwantlen, Katzie, and Semiahmoo First Nations.