Patches and updates
ArcGIS 10.2 - 10.2.2 for Server OpenSSL (Heartbleed) Patch
Esri® announces the ArcGIS 10.2 - 10.2.2 for Server OpenSSL (Heartbleed) Patch. ArcGIS Server uses a library called OpenSSL that has a serious security vulnerability (CVE-2014-160). The OpenSSL vulnerability is exploitable in ArcGIS for Server on Linux, but not on Windows. When exploited, the memory in the print service and publishing services may be accessed - this may reveal to an attacker information such as the file locations, machine names, and the name of the user running ArcGIS Server. It cannot be used to reveal private keys. It deals specifically with the issues listed below under Issues Addressed with this Patch.
- NIM100876 - The print service and publishing service in ArcGIS Server on Linux are vulnerable to an OpenSSL defect that reveals the in-memory contents of the print service and publishing tools.
Description: This issue allows an attacker to reveal in-memory contents of the print and publishing service, including deployment details for ArcGIS Server on Linux including installation location, process owner, and other details.
- NIM100949 - Update ArcGIS Server so it will not report a "false positive" when tested for OpenSSL Vulnerability CVE-2014-0160 (Heartbleed).
Complete the following install steps as the ArcGIS Install owner. The Install owner is the owner of the arcgis folder.
ArcGIS 10.2, 10.2.1, or 10.2.2 for Server must be installed before installing this patch.
- Download the appropriate file to a location other than your ArcGIS installation location.
- Make sure you have write access to your ArcGIS installation location, and that no one is using ArcGIS.
- Extract the specified tar file by typing:
% tar -xvf ArcGIS-<Version>-S-OSSL-Patch-lx.tar
- Start the installation by typing:
This will start the dialog for the menu-driven installation procedure. Default selections are noted in parentheses ( ). To quit the installation procedure, type 'q' at any time.
Check the Patches and Service Packs page periodically for the availability of additional patches. New information about this patch will be posted here.
To determine which ArcGIS products are installed, choose the appropriate version of the PatchFinder utility for your environment and run it from your local machine. PatchFinder will list all products, hot fixes, and patches installed on your local machine.
Domestic sites, please contact Esri Technical Support at 1-888-377-4575, if you have any difficulty installing this patch. International sites, please contact your local Esri software distributor.