AnsweredAssumed Answered

FileMaker Server 14 - Apache and/or Tomcat not patched for HTTPoxy?

Question asked by nciske on Oct 12, 2016
Latest reply on May 3, 2017 by cranstonit

Have a client failing a PCI scan on their static IP (which FM server runs behind) because port 8081 (Tomcat) is open and the version of Tomcat that ships with FMS does not appear to be patched for HTTPoxy (or so it appears).

 

https://httpoxy.org/

 

https://www.apache.org/security/asf-httpoxy-response.txt

 

The fix for Tomcat looks like no fun to apply and I suspect would be overwritten by an update.

 

Which brings up a few questions:

 

  1. Is there a patch planned for FMS 14?
  2. Is FMS 15 patched against this issue?
  3. If we upgrade to FMS 15 to patch this... will it fail the TLS check again?
    Re: FileMaker Server TLS version?

 

Hoping RosemaryTietge can shed some light here...?

Outcomes