Patches and updates
ArcGIS Security Update for Flexera CVE-2016-10395
Esri® announces the ArcGIS Security Update for Flexera CVE-2016-10395. This patch addresses a vulnerability, which may be exploited by malicious users to potentially gain escalated privileges to the local system. This patch will apply to all affected ArcGIS products and is backward compatible to version ArcGIS version 10.1. It deals specifically with the issues listed below under Issues Addressed with this patch.
Note: The impacted versions of Flexnet Publisher are deployed in ArcGIS License Manager, ArcGIS Engine and ArcGIS Desktop 10.1 through 10.5.1 (including ArcGIS Pro versions 1.2 through 2.0), ArcGIS Server and Portal for ArcGIS 10.5 and 10.5.1. This issue also impacts Esri CityEngine 2015.2 through 2017.0
- A vulnerability CVE-2016-10395 has been reported in FlexNet Publisher versions 220.127.116.11 and earlier, which may be exploited by malicious users to potentially gain escalated privileges to the local system.
- An Out-of-bounds Read (CWE-125) in the Windows FlexNet Publisher Licensing Service could theoretically be used to alter program flow.
- Successful exploitation may allow execution of arbitrary code with SYSTEM privileges.
- Only the Flexnet Publisher licensing service is vulnerable. All other Flexnet Publisher components, for example LMGRD or LMADMIN, are not affected.
This patch only needs to be installed once per computer even if more than one ArcGIS product is installed. The minimum operating system requirements are Windows 7 and Server 2008 R2.
The setup will automatically detect and upgrade the Flexnet Publisher licensing service. You must save your work and exit all ArcGIS programs before performing the upgrade. After the upgrade is complete, you may restart your applications.
- Download the file to a location other than your ArcGIS installation location.
Flexnet Publisher licensing service Checksum (Md5) 64-bit ArcGISFlexCVEx64.exe 2977172E693B06860B7B1FDCA33E94F0 ArcGIS Pro 1.2 through 2.0
ArcGIS Server 10.5 and 10.5.1
Portal for ArcGIS 10.5 and 10.5.1
Esri CityEngine 2015.2 through 2017.0 64-bit
32-bit ArcGISFlexCVEx86.exe B44AD799944965B4ADF7340ACDD8D671 ArcGIS Desktop 10.1 through 10.5.1
ArcGIS Engine 10.1 through 10.5.1
ArcGIS License Manager 10.1 through 10.5.1
Esri CityEngine 2015.2 through 2017.0 32-bit
- Make sure you have write access to your ArcGIS installation location.
- Double-click <ArcGISFlexCVEx64.EXE or ArcGISFlexCVEx86.EXE> to start the setup process.
Check the Patches and Service Packs page periodically for the availability of additional patches. New information about this patch will be posted here.
August 16, 2017: Updates have been made to clarify the impacted versions of Flexnet Publisher .
January 19, 2018: Updates have been made to the Flexnet Publisher version within the patch.
Domestic sites, please contact Esri Technical Support at 1-888-377-4575, if you have any difficulty installing this patch. International sites, please contact your local Esri software distributor.