English

ArcGIS Security Update for Flexera CVE-2016-10395

Summary

The ArcGIS Security Update for Flexera CVE-2016-10395 is a Windows-only patch that addresses a vulnerability identified with the Flexnet Licensing Service.

Description

Introduction

Esri® announces the ArcGIS Security Update for Flexera CVE-2016-10395. This patch addresses a vulnerability, which may be exploited by malicious users to potentially gain escalated privileges to the local system. This patch will apply to all affected ArcGIS products and is backward compatible to version ArcGIS version 10.1. It deals specifically with the issues listed below under Issues Addressed with this patch.

Note: The impacted versions of Flexnet Publisher are deployed in ArcGIS License Manager, ArcGIS Engine and ArcGIS Desktop 10.1 through 10.5.1 (including ArcGIS Pro versions 1.2 through 2.0), ArcGIS Server and Portal for ArcGIS 10.5 and 10.5.1. This issue also impacts Esri CityEngine 2015.2 through 2017.0


Issues Addressed with this patch


    A vulnerability CVE-2016-10395 has been reported in FlexNet Publisher versions 11.14.1.0 and earlier, which may be exploited by malicious users to potentially gain escalated privileges to the local system.

  • An Out-of-bounds Read (CWE-125) in the Windows FlexNet Publisher Licensing Service could theoretically be used to alter program flow.
  • Successful exploitation may allow execution of arbitrary code with SYSTEM privileges.
  • Only the Flexnet Publisher licensing service is vulnerable. All other Flexnet Publisher components, for example LMGRD or LMADMIN, are not affected.

Installing this patch on Windows

Important Note:


This patch only needs to be installed once per computer if more than one product is installed on the computer.

Installation Steps:


The setup will automatically detect and upgrade the Flexnet Publisher licensing service. You must save your work and exit all ArcGIS programs before performing the upgrade. After the upgrade is complete, you may restart your applications.

  1. Download the file to a location other than your ArcGIS installation location.

  2. Flexnet Publisher licensing service   Checksum (Md5)
         
    64-bit ArcGISFlexCVEx64.exe 3E364DE4923FC78E09EAA55C866BD7F4
    ArcGIS Pro 1.2 through 2.0
    ArcGIS Server 10.5 and 10.5.1
    Portal for ArcGIS 10.5 and 10.5.1
    Esri CityEngine 2015.2 through 2017.0 64-bit
       
         
    32-bit ArcGISFlexCVEx86.exe BB95668FEE6733B8EF22E921C69A021D
    ArcGIS Desktop 10.1 through 10.5.1
    ArcGIS Engine 10.1 through 10.5.1
    ArcGIS License Manager 10.1 through 10.5.1
    Esri CityEngine 2015.2 through 2017.0 32-bit
       

  3. Make sure you have write access to your ArcGIS installation location.

  4. Double-click <ArcGISFlexCVEx64.EXE or ArcGISFlexCVEx86.EXE> to start the setup process.


Patch Updates

Check the Patches and Service Packs page periodically for the availability of additional patches. New information about this patch will be posted here.

August 16, 2017: Updates have been made to clarify the impacted versions of Flexnet Publisher .

Getting Help

Domestic sites, please contact Esri Technical Support at 1-888-377-4575, if you have any difficulty installing this patch. International sites, please contact your local Esri software distributor.