ArcGIS 10.2 - 10.2.2 for Server OpenSSL (Heartbleed) Patch


Esri strongly recommends customers using ArcGIS for Server on Linux at versions 10.2, 10.2.1, and 10.2.2 install this patch. This patch addresses an exploitable vulnerability caused by an OpenSSL defect commonly called Heartbleed.



Esri® announces the ArcGIS 10.2 - 10.2.2 for Server OpenSSL (Heartbleed) Patch. ArcGIS Server uses a library called OpenSSL that has a serious security vulnerability (CVE-2014-160). The OpenSSL vulnerability is exploitable in ArcGIS for Server on Linux, but not on Windows. When exploited, the memory in the print service and publishing services may be accessed - this may reveal to an attacker information such as the file locations, machine names, and the name of the user running ArcGIS Server. It cannot be used to reveal private keys. For a full discussion of the vulnerability in ArcGIS for Server please visit Knowledge Base - Technical Article 42407. It deals specifically with the issues listed below under Issues Addressed with this Patch.

Issues Addressed with this patch

  • NIM100876 - The print service and publishing service in ArcGIS Server on Linux are vulnerable to an OpenSSL defect that reveals the in-memory contents of the print service and publishing tools.

    Description: This issue allows an attacker to reveal in-memory contents of the print and publishing service, including deployment details for ArcGIS Server on Linux including installation location, process owner, and other details.

  • NIM100949 - Update ArcGIS Server so it will not report a "false positive" when tested for OpenSSL Vulnerability CVE-2014-0160 (Heartbleed).

Files Installed with this patch

Under the <ArcGIS Server Installation>/bin folder:

Installing this patch on Linux

Installation Steps:

Complete the following install steps as the ArcGIS Install owner. The Install owner is the owner of the arcgis folder.

ArcGIS 10.2, 10.2.1, or 10.2.2 for Server must be installed before installing this patch.

  1. Download the appropriate file to a location other than your ArcGIS installation location.

        Checksum (Md5)
    ArcGIS 10.2 for Server ArcGIS-102-S-OSSL-Patch-lx.tar F2B92D71156E7FD0B43CDD5A1FB8B8D2
    ArcGIS 10.2.1 for Server ArcGIS-1021-S-OSSL-Patch-lx.tar 556957C5CC5EEF92A663BEC6C546EBB0
    ArcGIS 10.2.2 for Server ArcGIS-1022-S-OSSL-Patch-lx.tar 0BEF177D45374FD1D6AA9F557A007C90

  2. Make sure you have write access to your ArcGIS installation location, and that no one is using ArcGIS.

  3. Extract the specified tar file by typing:

    % tar -xvf ArcGIS-<Version>-S-OSSL-Patch-lx.tar

  4. Start the installation by typing:

    % ./applypatch

    This will start the dialog for the menu-driven installation procedure. Default selections are noted in parentheses ( ). To quit the installation procedure, type 'q' at any time.

Patch Updates

Check the Patches and Service Packs page periodically for the availability of additional patches. New information about this patch will be posted here.

How to identify which ArcGIS products are installed

To determine which ArcGIS products are installed, choose the appropriate version of the PatchFinder utility for your environment and run it from your local machine. PatchFinder will list all products, hot fixes, and patches installed on your local machine.

Getting Help

Domestic sites, please contact Esri Technical Support at 1-888-377-4575, if you have any difficulty installing this patch. International sites, please contact your local Esri software distributor.