English

FAQ: How are ArcGIS for Server and Portal for ArcGIS affected by CVE-2014-0160 (Heartbleed)?

Question

How are ArcGIS for Server and Portal for ArcGIS affected by CVE-2014-0160 (Heartbleed)?

Answer

CVE-2014-0160, termed 'heartbleed' by the media, is a vulnerability found in certain versions of OpenSSL that allows information to be retrieved from a client or a server using SSL/TLS. When a client is able to exploit the vulnerability against a server, the private key for the web server can be retrieved and all encrypted communications can be decrypted by malicious third-parties.

Portal for ArcGIS is not vulnerable to this problem.

ArcGIS for Server on Windows does include OpenSSL binaries and may be flagged by security scanners, but is not vulnerable. ArcGIS for Server does not use OpenSSL in handling web service requests (it uses Java's SSL implementation) and uses WinInet (Microsoft's implementation) for connecting to remote web services.

ArcGIS for Server on Linux 10.2, 10.2.1, and 10.2.2 are vulnerable, not as a server, but as a client to other servers which happens only in the Print Service and Publishing Services when they connect to remote ArcGIS Servers. This means that encryption for ArcGIS for Server on Linux has not been compromised. However, attackers may be able to discover where ArcGIS for Server has been installed, the name of the running user, and potentially even be able to crash the print service.

Update April 23, 2014

An OpenSSL (Heartbleed) patch was released which addresses the print and publishing services vulnerability for ArcGIS Server 10.2, 10.2.1, and 10.2.2 on Linux. The issue addressed by this patch is:

• NIM100876 - The print service and publishing service in ArcGIS Server on Linux are vulnerable to an OpenSSL defect that reveals the memory contest of the print service and publish tools.

Related Information