English

Bug: ArcGIS for Server is vulnerable to CVE-2014-0224 on Linux

Description

ArcGIS for Server is vulnerable to CVE-2014-0224, a vulnerability in OpenSSL. The vulnerability is exploitable when:

• ArcGIS for Server is running on Linux
• Using the Print Service to access services through https
• The services that the print service are using have a reverse proxy that uses a vulnerable OpenSSL in front of it
• A hacker sets up a man-in-the-middle component to intercept all https traffic between these two machines.

This vulnerability allows the communication between the print service and the accessed services to be decrypted.

Customers are not vulnerable if they don't use the print service or they don't use a reverse proxy in front of ArcGIS Server or if they use ArcGIS Server on Windows.

A workaround is immediately available and a patch is coming soon.

Cause

This is due to a vulnerability in OpenSSL.

ArcGIS for Server's internal HTTPS server does not use OpenSSL on any platform.

ArcGIS for Server on Linux uses OpenSSL when making client connections on ArcGIS Server. ArcGIS for Server on Windows uses Microsoft's Windows WinInet library, which is not affected by this.

Workaround

In order to exploit CVE-2014-0224 both the client and the server must use vulnerable versions of OpenSSL. Immediately upgrading the version of OpenSSL on the reverse proxy remediates the problem.