Is This Content Helpful?
We're glad to know this article was helpful.
On April 7, 2014, a security vulnerability with servers running the OpenSSL cryptographic library was revealed at Heartbleed.com. The security advisory for this vulnerability is CVE-2014-0160. Esri staff have been performing maintenance to validate, secure, and patch Esri servers and infrastructure to close this vulnerability and ensure Esri customers are protected.
The vulnerable OpenSSL library versions were not used in ArcGIS 10.1 and earlier releases, so these are not affected. Only versions from 10.1 SP1 and later are affected.
CVE-2014-0160 – OpenSSL 'Heartbleed' Vulnerability
Customers should read the summary below to determine the action they should take for their particular ArcGIS products and services. This summary is updated as mitigation activities are completed.
• ArcGIS Online – Mitigations have been applied to all service endpoints and certificates have been re-issued across the platform. As a precautionary measure, Esri encourages users to change passwords for systems where mitigations have been completed, such as ArcGIS Online.
• Managed Services – No customer action is required as the supporting infrastructure was unaffected.
• Esri’s global account systems – No customer action is required as the supporting infrastructure was unaffected.
• ArcGIS for Desktop/Engine – No customer action is required. The vulnerable OpenSSL library is included with ArcGIS Desktop releases 10.1 SP1, 10.2, 10.2.1, and 10.2.2, but it is not utilized in a manner where the vulnerability is exploitable.
• ArcGIS for Server (Windows) – No customer action is required. The vulnerable OpenSSL library is included with ArcGIS Server 10.1 SP1, 10.2, 10.2,1, and 10.2.2, but it is not utilized in a manner where the vulnerability is exploitable.
• ArcGIS for Server (Linux) – Only the print and publishing services are vulnerable for ArcGIS Server 10.2, 10.2.1 and 10.2.2 on Linux. Esri is working on a security patch to address this concern, and in the meantime, these services can be disabled as necessary if utilizing a Linux deployment. A technical article detailing this can be found in KB 42407.
Update April 23, 2014
An OpenSSL (Heartbleed) patch was released which addresses the print and publishing services vulnerability for ArcGIS Server 10.2, 10.2.1, and 10.2.2 on Linux.
• Portal for ArcGIS – No customer action is required.
• Web Gateways – While this is NOT an Esri component, customers utilizing such a system in front of their web services (such as reverse proxy or NAT), operating as the termination point for SSL connections utilizing OpenSSL, should ensure mitigations are put in place according to their vendor’s recommendations.
Update July 7, 2014
Esri released the ArcGIS 10.1 SP1 - 10.2.2 for (Desktop, Engine, Server) OpenSSL Update Patch. This patch addresses non-exploitable instances of the OpenSSL defect, commonly called Heartbleed, that may still exist in ArcGIS 10.1 Service Pack 1 through ArcGIS 10.2.2. While these are non-exploitable instances of OpenSSL, customers who run security scan software on these ArcGIS releases may still see false positives until this software patch has been applied.
• ArcGIS Runtime – No customer action is required. The vulnerable OpenSSL library is included with Runtime WPF/Qt/Java releases 10.1.1, 10.2, 10.2.2, and the iOS/Android/OS X 10.2.2 release, but it is not utilized in a manner where the vulnerability is exploitable.