The FileMaker Apache Commons JAR Replacer is an automation solution that addresses CVE-2025-46295 by replacing vulnerable Apache Commons JAR files in FileMaker Server installations. Instead of upgrading the entire FileMaker Server, this solution follows the official Claris guidance to replace only the vulnerable commons-text and commons-lang3 JAR files with updated versions.
For most users, download the latest release instead of building from source:
-
Go to the Releases page
-
Download the appropriate file for your platform:
- Windows:
filemaker-jar-replacer-windows.zip - macOS:
filemaker-jar-replacer-macos.tar.gz - Ubuntu/Linux:
filemaker-jar-replacer-ubuntu.tar.gz
- Windows:
-
Extract and run - See the release notes for detailed extraction and usage instructions
- âś… Pre-tested - All releases are thoroughly tested across platforms
- âś… Ready to use - No compilation or setup required
- âś… Secure - Signed releases with checksums for verification
- âś… Complete - Includes all dependencies and documentation
The affected JAR files are installed only when the Web Publishing Engine is enabled for the first time.
- Severity: Critical
- CVSS Score: 9.8 (Critical)
- Affected Component: Apache Commons Text (versions prior to 1.10.0) and Apache Commons Lang (versions prior to 3.18.0)
- Impact: Remote Code Execution
- Affected FileMaker Versions: All versions with vulnerable JAR files
- Solution: Replace vulnerable JAR files with updated versions (commons-text 1.11.0+, commons-lang3 3.18.0+)
- Manual JAR Replacement Instructions (Without FileMaker Server Upgrade): https://support.claris.com/s/answerview?anum=000049055&language=en_US
- CVE-2025-46295 Security Advisory (NIST): https://nvd.nist.gov/vuln/detail/CVE-2025-46295
- Vulnerability Acknowledgment & Safe Version Confirmation: https://support.claris.com/s/answerview?anum=000049059&language=en_US
This JAR replacer provides platform-specific scripts for:
- Windows: PowerShell script (
replace-filemaker-jars-windows.ps1) - macOS: Bash script (
replace-filemaker-jars-macos.sh) - Ubuntu: Bash script (
replace-filemaker-jars-ubuntu.sh)
- Windows Server 2016+
- PowerShell 5.1 or later
- Administrator privileges
- FileMaker Server installed
- macOS 10.15 (Catalina) or later
- Bash shell
- sudo privileges
- FileMaker Server installed
- Ubuntu 20.04 LTS or later
- Bash shell
- sudo privileges
- FileMaker Server installed
IMPORTANT: Before making any changes to your FileMaker Server, run the script with the --dry-run option to check if your server is vulnerable and see what changes would be made.
# Run PowerShell as Administrator
# Show help and available options
.\replace-filemaker-jars-windows.ps1 -Help
# Check if your server is vulnerable (RECOMMENDED FIRST STEP)
.\replace-filemaker-jars-windows.ps1 -DryRun
# Apply the security fix (only after reviewing dry-run results)
.\replace-filemaker-jars-windows.ps1# Run with sudo privileges
# Show help and available options
sudo ./replace-filemaker-jars-macos.sh --help
# Check if your server is vulnerable (RECOMMENDED FIRST STEP)
sudo ./replace-filemaker-jars-macos.sh --dry-run
# Apply the security fix (only after reviewing dry-run results)
sudo ./replace-filemaker-jars-macos.sh# Run with sudo privileges
# Show help and available options
sudo ./replace-filemaker-jars-ubuntu.sh --help
# Check if your server is vulnerable (RECOMMENDED FIRST STEP)
sudo ./replace-filemaker-jars-ubuntu.sh --dry-run
# Apply the security fix (only after reviewing dry-run results)
sudo ./replace-filemaker-jars-ubuntu.shThe --dry-run option is the safest way to:
- Check vulnerability status without making any changes
- Identify which JAR files need to be replaced
- Verify script compatibility with your FileMaker Server installation
- Preview all actions that would be performed
- Detect potential issues before making changes
Always run with --dry-run first to understand what the script will do on your system.
- Automatically detects FileMaker Server installations and Web Publishing Engine directories
- Identifies vulnerable commons-text and commons-lang3 JAR files
- Downloads updated JAR files (commons-text 1.11.0+, commons-lang3 3.18.0+)
- Performs atomic JAR file replacement with integrity verification
- Creates complete backup of existing JAR files before replacement
- Automatic rollback on replacement failure
- Backup integrity verification
- Uses official fmsadmin command-line tool for service management
- Secure credential handling for fmsadmin authentication
- Automatic Web Publishing Engine restart after JAR replacement
- Post-replacement functionality verification
- Secure credential handling (never logged or displayed)
- Supports environment variables and .env files
- Validates file permissions for credential files
- Comprehensive operation logging with timestamps
- Platform-specific log locations
- Error tracking and recovery guidance
- Color-coded status indicators
- Progress tracking for long operations
- Clear error messages and recovery instructions
filemaker-jar-replacer/
├── README.md # This file
├── replace-filemaker-jars-windows.ps1 # Windows PowerShell script
├── replace-filemaker-jars-macos.sh # macOS Bash script
├── replace-filemaker-jars-ubuntu.sh # Ubuntu Bash script
├── scripts/
│ ├── windows/
│ │ └── modules/ # PowerShell modules for JAR operations
│ ├── macos/
│ │ └── modules/ # Bash function modules for JAR operations
│ ├── ubuntu/
│ │ └── modules/ # Bash function modules for JAR operations
│ └── shared/ # Shared utilities and templates
├── config/
│ ├── logging-config.json # Logging configuration
│ └── jar-replacement-config.json # JAR replacement configuration
├── tests/ # Test suite (BATS and Pester)
├── logs/ # Log files (created during execution)
└── backups/ # JAR backup files (created during execution)
You can configure the updater using environment variables:
# FileMaker Server credentials
export FILEMAKER_USERNAME="admin"
export FILEMAKER_PASSWORD="your_secure_password"
# Custom paths (optional)
export FILEMAKER_INSTALL_PATH="/custom/path/to/filemaker"
export BACKUP_DIRECTORY="/custom/backup/path"Create a .env file in the script directory:
# .env file (must have 600 permissions)
FILEMAKER_USERNAME=admin
FILEMAKER_PASSWORD=your_secure_password
BACKUP_DIRECTORY=/custom/backup/pathImportant: Ensure .env file has restrictive permissions (600) for security.
If the automated script fails, follow these manual steps to replace the vulnerable JAR files:
# Using fmsadmin (recommended)
& "C:\Program Files\FileMaker\FileMaker Server\Database Server\fmsadmin.exe" stop wpe -u admin -p password
# Or using services
Stop-Service "FileMaker Server Web Publishing Engine"# Using fmsadmin (recommended)
sudo "/Library/FileMaker Server/Database Server/bin/fmsadmin" stop wpe -u admin -p password
# Or using launchctl
sudo launchctl stop com.filemaker.wpe# Using fmsadmin (recommended)
sudo "/opt/FileMaker/FileMaker Server/Database Server/bin/fmsadmin" stop wpe -u admin -p password
# Or using systemctl
sudo systemctl stop filemaker-wpe$jarPath = "C:\Program Files\FileMaker\FileMaker Server\Web Publishing\publishing-engine\jwpc-tomcat\webapps\ROOT\WEB-INF\lib"
$backupPath = "C:\Temp\jar-backup-$(Get-Date -Format 'yyyyMMdd-HHmmss')"
New-Item -ItemType Directory -Path $backupPath
Copy-Item "$jarPath\commons-text-*.jar" $backupPath
Copy-Item "$jarPath\commons-lang3-*.jar" $backupPathJAR_PATH="/Library/FileMaker Server/Web Publishing/publishing-engine/jwpc-tomcat/webapps/ROOT/WEB-INF/lib" # macOS
# JAR_PATH="/opt/FileMaker/FileMaker Server/Web Publishing/publishing-engine/jwpc-tomcat/webapps/ROOT/WEB-INF/lib" # Ubuntu
BACKUP_PATH="/tmp/jar-backup-$(date +%Y%m%d-%H%M%S)"
mkdir -p "$BACKUP_PATH"
cp "$JAR_PATH"/commons-text-*.jar "$BACKUP_PATH/"
cp "$JAR_PATH"/commons-lang3-*.jar "$BACKUP_PATH/"Download the following JAR files from Apache Commons:
- commons-text-1.11.0.jar or later from: https://commons.apache.org/proper/commons-text/download_text.cgi
- commons-lang3-3.18.0.jar or later from: https://commons.apache.org/proper/commons-lang/download_lang.cgi
Verify checksums against official Apache Commons checksums.
$jarPath = "C:\Program Files\FileMaker\FileMaker Server\Web Publishing\publishing-engine\jwpc-tomcat\webapps\ROOT\WEB-INF\lib"
# Remove old JAR files
Remove-Item "$jarPath\commons-text-*.jar"
Remove-Item "$jarPath\commons-lang3-*.jar"
# Copy new JAR files
Copy-Item "commons-text-1.11.0.jar" $jarPath
Copy-Item "commons-lang3-3.18.0.jar" $jarPathJAR_PATH="/Library/FileMaker Server/Web Publishing/publishing-engine/jwpc-tomcat/webapps/ROOT/WEB-INF/lib" # macOS
# JAR_PATH="/opt/FileMaker/FileMaker Server/Web Publishing/publishing-engine/jwpc-tomcat/webapps/ROOT/WEB-INF/lib" # Ubuntu
# Remove old JAR files
sudo rm "$JAR_PATH"/commons-text-*.jar
sudo rm "$JAR_PATH"/commons-lang3-*.jar
# Copy new JAR files
sudo cp commons-text-1.11.0.jar "$JAR_PATH/"
sudo cp commons-lang3-3.18.0.jar "$JAR_PATH/"
# Set proper permissions
sudo chown fmserver:fmsadmin "$JAR_PATH"/commons-*.jar # Adjust ownership as needed
sudo chmod 644 "$JAR_PATH"/commons-*.jar# Using fmsadmin (recommended)
& "C:\Program Files\FileMaker\FileMaker Server\Database Server\fmsadmin.exe" start wpe -u admin -p password
# Or using services
Start-Service "FileMaker Server Web Publishing Engine"# Using fmsadmin (recommended)
sudo "/Library/FileMaker Server/Database Server/bin/fmsadmin" start wpe -u admin -p password
# Or using launchctl
sudo launchctl start com.filemaker.wpe# Using fmsadmin (recommended)
sudo "/opt/FileMaker/FileMaker Server/Database Server/bin/fmsadmin" start wpe -u admin -p password
# Or using systemctl
sudo systemctl start filemaker-wpe- Check that the Web Publishing Engine is running
- Verify new JAR files are in place with correct versions
- Test web publishing functionality
- Check FileMaker Server logs for any errors
If the automated script fails, follow these manual steps:
net stop "FileMaker Server"sudo launchctl stop com.filemaker.fmssudo service fmshelper stop- Back up your databases from the Data folder
- Back up configuration files
- Note current version for rollback
- Download FileMaker Server 22.0.4 from Claris
- Verify checksum integrity
- Run installer with appropriate parameters
- Confirm version is 22.0.4 or later
- Test database connectivity
- Verify services are running
net start "FileMaker Server"sudo launchctl start com.filemaker.fmssudo service fmshelper start- Verify FileMaker Server is installed
- Check installation path matches expected locations
- Run script with appropriate privileges
- Run PowerShell as Administrator (Windows)
- Use sudo with the script (macOS/Ubuntu)
- Verify user account has necessary permissions
- Check available disk space
- Verify write permissions to backup directory
- Ensure JAR files are not locked by running processes
- Check internet connectivity
- Verify firewall settings allow HTTPS downloads to Apache Commons repositories
- Try manual download and place in script directory
- Verify fmsadmin credentials are correct
- Check that FileMaker Server is running
- Try manual restart using fmsadmin command
- Check FileMaker Server logs for service issues
- Windows:
logs\filemaker-jar-replacer-windows.log - macOS:
logs/filemaker-jar-replacer-macos.log - Ubuntu:
logs/filemaker-jar-replacer-ubuntu.log
- Always run scripts with appropriate privileges
- Verify script integrity before execution
- Use secure credential storage methods
- Review logs for any security-related events
- Test in non-production environment first
- Claris Support: https://support.claris.com/
- FileMaker Community: https://community.claris.com/
- Security Advisories: https://support.claris.com/s/topic/0TO4u000000TNvGGAW/security-advisories
- Claris Technical Support: Available through your support plan
- Security Issues: Report to security@claris.com
This project includes comprehensive test suites for all platforms to ensure reliability and security.
The project uses different testing frameworks for each platform:
- Linux/macOS: BATS (Bash Automated Testing System)
- Windows: Pester (PowerShell testing framework)
macOS (using Homebrew):
brew install bats-coreUbuntu/Debian:
# Install via package manager
sudo apt update
sudo apt install bats
# Or install latest version from source
git clone https://github.com/bats-core/bats-core.git
cd bats-core
sudo ./install.sh /usr/localManual Installation (any Unix-like system):
git clone https://github.com/bats-core/bats-core.git
cd bats-core
sudo ./install.sh /usr/localPester comes pre-installed with PowerShell 5.1+ and Windows PowerShell, but you may want to update to the latest version:
# Check current version
Get-Module -Name Pester -ListAvailable
# Install/Update to latest version (PowerShell 5.1+)
Install-Module -Name Pester -Force -SkipPublisherCheck
# For PowerShell Core (7+)
Install-Module -Name Pester -Scope CurrentUser# Run specific BATS test file (Linux/macOS)
bats tests/backup-creation.bats
bats tests/version-detection.bats
# Run specific Pester test file (Windows)
Invoke-Pester tests/windows/Integration.Tests.ps1
Invoke-Pester tests/windows/Utilities.Tests.ps1# Run all BATS tests (Linux/macOS)
bats tests/*.bats
# Run all Pester tests (Windows)
Invoke-Pester tests/windows/The test suite includes:
- Unit Tests: Individual function and module testing
- Integration Tests: End-to-end workflow testing
- Security Tests: Credential handling and permission validation
- Platform-Specific Tests: OS-specific functionality validation
- Edge Case Tests: Error handling and boundary condition testing
Tests create isolated temporary environments and do not affect your system or FileMaker installation. However, some tests may require:
- Administrator/sudo privileges (for privilege escalation tests)
- Network access (for download simulation tests)
- Sufficient disk space (for backup creation tests)
This JAR replacer is provided as-is for addressing CVE-2025-46295. Use in accordance with your FileMaker Server license agreement and Apache Commons license terms.
- Initial release
- Support for Windows, macOS, and Ubuntu
- Automated JAR replacement for CVE-2025-46295
- commons-text and commons-lang3 JAR file replacement
- Comprehensive logging and backup functionality
- Web Publishing Engine management with fmsadmin integration