It would appear that FMS may, potentially, make use of a serialization routine that is known to have a serious security bug.
See this for sobering writeup: What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability. |
FMS would appear to at least contain the affected routine. For instance:
% grep -R InvokerTransformer /Library/FileMaker\ Server/Web\ Publishing
Binary file /Library/FileMaker Server/Web Publishing/publishing-engine/jwpc-tomcat/fmi/WEB-INF/lib/commons-collections-3.1.jar matches
Is anyone aware of this issue actually affecting FMS? Is the scope of the issue limited enough that we might be able to firewall it off?
Unfortunately, some systems we manage need to be Internet accessible for things like WebDirect or CWP, so completely firewalling them off is problematic.