The engineering team at FME Cloud has been working to assess the impact for our customers in the wake of April 7th’s disclosure of CVE-2014-0160, known as Heartbleed. We joined nearly every service provider on the Internet responding to this critical vulnerability in OpenSSL’s handling of heartbeat packets and conducted a comprehensive security review in response.
The servers hosting the FME Cloud website are using a version of OpenSSL which is not affected by the vulnerability. As for our customers’ FME Server Cloud instances, they are running on Linux servers which have the vulnerable OpenSSL installed, but fortunately the web application server (Tomcat) that FME Server uses underneath does not use the OpenSSL library. The FME Server instances that are currently running are therefore not exposed to this vulnerability. You can test this by entering the URL here, http://filippo.io/Heartbleed/.
As a best practice we have patched the OpenSSL package so all new instances that you launch will be running the patched version.
If you have any questions or concerns then don’t hesitate to contact us.
Stewart HarperStewart is the Technical Director of Cloud Applications and Infrastructure at Safe. When he isn’t building location-based tools for the web, he’s probably skiing or mountain biking.