1 Reply Latest reply on Nov 11, 2015 2:54 PM by TorstenBernhard

    Apache Commons Vulnerability -- FMS affected?

    sibrcode

      It would appear that FMS may, potentially, make use of a serialization routine that is known to have a serious security bug.

       

      See this for sobering writeup: What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability. |

       

      FMS would appear to at least contain the affected routine. For instance:

       

      % grep -R InvokerTransformer /Library/FileMaker\ Server/Web\ Publishing

      Binary file /Library/FileMaker Server/Web Publishing/publishing-engine/jwpc-tomcat/fmi/WEB-INF/lib/commons-collections-3.1.jar matches

       

      Is anyone aware of this issue actually affecting FMS? Is the scope of the issue limited enough that we might be able to firewall it off?

       

      Unfortunately, some systems we manage need to be Internet accessible for things like WebDirect or CWP, so completely firewalling them off is problematic.

       

      Simon.