Knowledge Base - Technical Articles


Technical Article   Problem:  OpenSSL Vulnerability CVE-2014-0160 (Heartbleed)

Article ID: 42405
Bug Id: N/A
Software:  ArcGIS Online Current ArcGIS for Desktop Advanced 10.2, 10.2.1, 10.2.2, 10.1 SP1 ArcGIS for Desktop Standard 10.2, 10.2.1, 10.2.2, 10.1 SP1 ArcGIS for Desktop Basic 10.2, 10.2.1, 10.2.2, 10.1 SP1 ArcGIS for Server 10.2, 10.2.1, 10.2.2, 10.1 SP1 ArcGIS Runtime SDK for iOS 10.2.2 ArcGIS Runtime SDK for Android 10.2.2 ArcGIS Runtime SDK for Qt 10.1.1, 10.2, 10.2.2 ArcGIS Runtime SDK for WPF 10.1.1, 10.2, 10.2.2 ArcGIS Runtime SDK for Java 10.1.1, 10.2, 10.2.2 ArcGIS Engine for Linux 10.2, 10.2.1, 10.2.2, 10.1 SP1 ArcGIS Engine for Windows 10.2, 10.2.1, 10.2.2, 10.1 SP1 ArcGIS Runtime SDK for OS X 10.2.2
Platforms: N/A

Description

On April 7, 2014, a security vulnerability with servers running the OpenSSL cryptographic library was revealed at Heartbleed.com. The security advisory for this vulnerability is CVE-2014-0160. Esri staff have been performing maintenance to validate, secure, and patch Esri servers and infrastructure to close this vulnerability and ensure Esri customers are protected.

 The vulnerable OpenSSL library versions were not used in ArcGIS 10.1 and earlier releases, so these are not affected. Only versions from 10.1 SP1 and later are affected.


Many Esri products include the OpenSSL library, but do not use this library to implement the vulnerable TLS protocol. It is expected that security scans will start flagging the presence of this library based on CVE-2014-0160 even though no actual security issue exists in the specific usage. Esri will be providing software updates to upgrade the OpenSSL library in affected products to eliminate these false positive scans. This technical article is updated as availability dates are set.

Cause

CVE-2014-0160 – OpenSSL 'Heartbleed' Vulnerability

Solution or Workaround

Customers should read the summary below to determine the action they should take for their particular ArcGIS products and services. This summary is updated as mitigation activities are completed.

Services

• ArcGIS Online – Mitigations have been applied to all service endpoints and certificates have been re-issued across the platform. As a precautionary measure, Esri encourages users to change passwords for systems where mitigations have been completed, such as ArcGIS Online.

• Managed Services – No customer action is required as the supporting infrastructure was unaffected.

• Esri’s global account systems – No customer action is required as the supporting infrastructure was unaffected.

Desktop Products

• ArcGIS for Desktop/Engine – No customer action is required. The vulnerable OpenSSL library is included with ArcGIS Desktop releases 10.1 SP1, 10.2, 10.2.1, and 10.2.2, but it is not utilized in a manner where the vulnerability is exploitable.

Server Products

• ArcGIS for Server (Windows) – No customer action is required. The vulnerable OpenSSL library is included with ArcGIS Server 10.1 SP1, 10.2, 10.2,1, and 10.2.2, but it is not utilized in a manner where the vulnerability is exploitable.

• ArcGIS for Server (Linux) – Only the print and publishing services are vulnerable for ArcGIS Server 10.2, 10.2.1 and 10.2.2 on Linux. Esri is working on a security patch to address this concern, and in the meantime, these services can be disabled as necessary if utilizing a Linux deployment. A technical article detailing this can be found in KB 42407.

Update April 23, 2014

An OpenSSL (Heartbleed) patch was released which addresses the print and publishing services vulnerability for ArcGIS Server 10.2, 10.2.1, and 10.2.2 on Linux.

• Portal for ArcGIS – No customer action is required.

• Web Gateways – While this is NOT an Esri component, customers utilizing such a system in front of their web services (such as reverse proxy or NAT), operating as the termination point for SSL connections utilizing OpenSSL, should ensure mitigations are put in place according to their vendor’s recommendations.

Update July 7, 2014

Esri released the ArcGIS 10.1 SP1 - 10.2.2 for (Desktop, Engine, Server) OpenSSL Update Patch. This patch addresses non-exploitable instances of the OpenSSL defect, commonly called Heartbleed, that may still exist in ArcGIS 10.1 Service Pack 1 through ArcGIS 10.2.2. While these are non-exploitable instances of OpenSSL, customers who run security scan software on these ArcGIS releases may still see false positives until this software patch has been applied.

Runtime SDKs

• ArcGIS Runtime – No customer action is required. The vulnerable OpenSSL library is included with Runtime WPF/Qt/Java releases 10.1.1, 10.2, 10.2.2, and the iOS/Android/OS X 10.2.2 release, but it is not utilized in a manner where the vulnerability is exploitable.



Related Information


Created: 4/10/2014
Last Modified: 7/7/2014

Article Rating: (1)
If you would like to post a comment, please login

Comments

By rich6626 - 04/18/2014 9:54 AM

Other - See details below.

This article has been updated.

By cvonstetten - 04/17/2014 10:14 AM

Other - See details below.

What isn't addressed here is whether the esri.com website(s) were affected by heartbleed. If they were: 1. have they been patched? 2. Have the certificates for those sites been re-issued? 3. Users should be informed and it should be suggested that passwords should be changed. Furthermore, even if ArcGIS Online has been patched, users need to be notified once the certificates have been reissued, and passwords should be changed there as well.

Rating: