Safe Software Inc.
FME Server Vulnerability Disclosure

While performing a recent penetration test for a client, one of the in-scope modules contained workflows within an instance of the FME Server application. While an assessment of the FME Server instance itself was not originally in-scope, the client signed off on this addition during the final days of the engagement to allow for more excellent coverage of their attack surface.

Safe Software Inc. FME Server is an enterprise tool for creating automated workflows, which run various data integration tasks on a scheduled basis or as an event-driven model. Using a “visual design,” workflows enable users to automate data processing tasks without the tedious manual labour of writing code or integrating with various systems. FME Server is a data processing engine that can use data streams to build business insights, transform customer data, and improve operational efficiencies with real-time data processing.

The following is a breakdown of the methodologies and impacts of multiple vulnerabilities we discovered, some of which were critical. Because the discovered vulnerabilities affect software users beyond just our client, Safe Software was contacted for responsible disclosure and to enable them to proceed with remediation of said vulnerabilities.