CVE-2022-38342 FME Server v2021.2.5, v2022.0.0.2 and older contains a XXE vulnerability which allows attackers to exfiltrate/SSRF data.

An attacker can exploit this vulnerability by sending a specially crafted request to the affected application, causing a denial of service condition for the server or data exfiltration. These attacks can be especially dangerous for production environments as they typically do not require any kind of authentication and can go unnoticed for a long time.

Security researchers at Tenable discovered that the version of the Safeware Software FME Server running on the version 2021.2.5, v2022.0.0.2 and below was found to contain this XXE vulnerability. The information below outlines steps that users can take to protect themselves against this type of attack.

Update to the latest version

The Safeware Software FME Server is a software program that is used to control and manage manufacturing equipment like the machines. To update to the latest version you need to contact their user support team for assistance.

What to do if you are at risk?

If you are a user of Safeware Software FME Server, then Safeware recommends that you update to the latest version, 2021.2.5, as soon as possible. If you are a customer of Safeware, please contact your sales team for more information on how to get updated servers and fulfill your security obligations.

This is an XXE vulnerability which can lead to data exfiltration from the server if exploited by an attacker. There is no authentication needed for this particular vulnerability so it is not recommended for production environments.

Protect your Web Application from XXE attacks

Users at risk of being exploited by XXE attacks need to ensure that the FME Server has a strong firewall, no exposed ports, and is running on a private network. The following are steps that can be taken by users to protect themselves against this type of attack:
- Ensure that your Web Application is never accessible to the public
- Make sure your FME Server cannot be accessed remotely
- Make sure your FME Server runs on a private network with no public access
- Ensure that your FME Server has a strong firewall

Patch Official Software

Patches for this vulnerability have already been issued by Safeware and should be applied as soon as possible. However, if you cannot apply the patch due to other software conflicts, then it is recommended that you replace your server with a new one.

Update to Latest Version of the Server

The security researchers at Tenable recommend updating to the latest version of the server.

Timeline

Published on: 09/13/2022 20:15:00 UTC
Last modified on: 09/23/2022 18:15:00 UTC

References

• https://community.safe.com/s/article/Known-Issue-FME-Server-XXE-vulnerability-via-adding-a-repository-item
• https://community.safe.com/s/article/Known-Issue-FME-Server-vulnerability-with-arbitrary-path-traversal-and-file-upload
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38342