FAQ: Are ArcGIS 10.1 and 10.2 impacted by Python Vulnerability CVE-2013-7040?
Are ArcGIS 10.1 and 10.2 impacted by Python Vulnerability CVE-2013-7040?
No, ArcGIS 10.1 and 10.2 are not impacted by Python Vulnerability CVE-2013-7040. Esri takes security concerns seriously and has researched the Python issue CVE-2013-7040 relative to our ArcGIS for Desktop and ArcGIS for Server products.
It is important to clarify that this Python vulnerability:
• Is classified as a moderate risk (CVSS 4.3) by US-CERT
• Does not present risk to the integrity or confidentiality as a Denial of Service vulnerability
• Relies on a system operating as a web server
• Relies on the web server passing every key and value submitted in a form directly to Python, where carefully crafted keys can cause a denial of service
Why are ArcGIS for Desktop or ArcGIS for Server not vulnerable due to the Python vulnerability?
• ArcGIS for Desktop is not configured to operate as a web server, and therefore the vulnerability is not applicable to this product.
• ArcGIS for Server utilizes Java to parse inputs and deletes all keys except for the ones defined by the author of the geoprocessing script. Therefore, arbitrary keys are never sent to Python, and ArcGIS for Server is not vulnerable.
Should a customer upgrade to the Python 3.3 release with ArcGIS 10.1 or 10.2?
No, the Python 3.3 release is incompatible with the ArcGIS Server 10.1 or 10.2 platforms. While the Python 3.3 release is not supported with ArcGIS 10.1 and 10.2, customers who have other security concerns with Python can continue to update the 2.7 build which is currently at 2.7.8 as necessary.