Skip to Content

Patches and updates

ArcGIS Security Update for Flexera CVE-2016-10395

Published: August 2, 2017

Summary

The ArcGIS Security Update for Flexera CVE-2016-10395 is a Windows-only patch that addresses a vulnerability identified with the Flexnet Licensing Service.

Description

Esri® announces the ArcGIS Security Update for Flexera CVE-2016-10395. This patch addresses a vulnerability, which may be exploited by malicious users to potentially gain escalated privileges to the local system. This patch will apply to all affected ArcGIS products and is backward compatible to version ArcGIS version 10.1. It deals specifically with the issues listed below under Issues Addressed with this patch.

Note: The impacted versions of Flexnet Publisher are deployed in ArcGIS License Manager, ArcGIS Engine and ArcGIS Desktop 10.1 through 10.5.1 (including ArcGIS Pro versions 1.2 through 2.0), ArcGIS Server and Portal for ArcGIS 10.5 and 10.5.1. This issue also impacts Esri CityEngine 2015.2 through 2017.0

 

Issues Addressed with this patch


  • A vulnerability CVE-2016-10395 has been reported in FlexNet Publisher versions 11.14.1.0 and earlier, which may be exploited by malicious users to potentially gain escalated privileges to the local system.

  • An Out-of-bounds Read (CWE-125) in the Windows FlexNet Publisher Licensing Service could theoretically be used to alter program flow.
  • Successful exploitation may allow execution of arbitrary code with SYSTEM privileges.
  • Only the Flexnet Publisher licensing service is vulnerable. All other Flexnet Publisher components, for example LMGRD or LMADMIN, are not affected.

 

Installing this patch on Windows

Important Note:

 

This patch only needs to be installed once per computer even if more than one ArcGIS product is installed. The minimum operating system requirements are Windows 7 and Server 2008 R2.

Installation Steps:

 

The setup will automatically detect and upgrade the Flexnet Publisher licensing service. You must save your work and exit all ArcGIS programs before performing the upgrade. After the upgrade is complete, you may restart your applications.

  1. Download the file to a location other than your ArcGIS installation location.

    Flexnet Publisher licensing service  Checksum (Md5)
       
    64-bit ArcGISFlexCVEx64.exe2977172E693B06860B7B1FDCA33E94F0
    ArcGIS Pro 1.2 through 2.0
    ArcGIS Server 10.5 and 10.5.1
    Portal for ArcGIS 10.5 and 10.5.1
    Esri CityEngine 2015.2 through 2017.0 64-bit
      
       
    32-bit ArcGISFlexCVEx86.exeB44AD799944965B4ADF7340ACDD8D671
    ArcGIS Desktop 10.1 through 10.5.1
    ArcGIS Engine 10.1 through 10.5.1
    ArcGIS License Manager 10.1 through 10.5.1
    Esri CityEngine 2015.2 through 2017.0 32-bit
      

  2. Make sure you have write access to your ArcGIS installation location.
  3. Double-click <ArcGISFlexCVEx64.EXE or ArcGISFlexCVEx86.EXE> to start the setup process.

 

Patch Updates

Check the Patches and Service Packs page periodically for the availability of additional patches. New information about this patch will be posted here.

August 16, 2017: Updates have been made to clarify the impacted versions of Flexnet Publisher .

January 19, 2018: Updates have been made to the Flexnet Publisher version within the patch.
 

Getting Help

Domestic sites, please contact Esri Technical Support at 1-888-377-4575, if you have any difficulty installing this patch. International sites, please contact your local Esri software distributor.



Download ID:7521

Get help from ArcGIS experts

Contact technical support

Download the Esri Support App

Go to download options