AnsweredAssumed Answered

Apache Commons Vulnerability -- FMS affected?

Question asked by sibrcode on Nov 10, 2015
Latest reply on Nov 11, 2015 by TorstenBernhard

It would appear that FMS may, potentially, make use of a serialization routine that is known to have a serious security bug.


See this for sobering writeup: What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability. |


FMS would appear to at least contain the affected routine. For instance:


% grep -R InvokerTransformer /Library/FileMaker\ Server/Web\ Publishing

Binary file /Library/FileMaker Server/Web Publishing/publishing-engine/jwpc-tomcat/fmi/WEB-INF/lib/commons-collections-3.1.jar matches


Is anyone aware of this issue actually affecting FMS? Is the scope of the issue limited enough that we might be able to firewall it off?


Unfortunately, some systems we manage need to be Internet accessible for things like WebDirect or CWP, so completely firewalling them off is problematic.