English

FAQ: What is the POODLE security vulnerability and does it affect Esri products?

Question

What is the POODLE security vulnerability and does it affect Esri products?

Answer

On October 14, 2014, a security vulnerability involving SSL v3 was revealed called POODLE (CVE-2014-3566). This issue is considered only a moderate risk. In part, the moderate risk rating is because SSL v3 is estimated to be utilized by less than 2% of internet users, with many of those using browsers as old as IE6, which are no longer supported across most products and do not support the TLS protocol.

ArcGIS Online
Esri has disabled SSL v3 for all ArcGIS Online web service endpoints and is not vulnerable to POODLE attacks.

ArcGIS for Server and Portal for ArcGIS
Current versions of these products handle HTTPS requests that allow fallback to SSL v3, however Esri recommends that production implementations include the ArcGIS web adaptor in front of them to terminate encrypted connections with clients based on the web server it is deployed to. Each web server vendor has specific guidance for how to disable SSL v3 with their products.

Esri has already disabled SSL v3 for the upcoming ArcGIS 10.3 release. All browser versions supported with the ArcGIS Platform support TLS, and work without issue. All versions of Python included with the ArcGIS Platform since 10.0 support TLS, therefore most custom scripts should continue to work.

Related Information