Problem: OpenSSL Vulnerability CVE-2014-0160 (Heartbleed)
On April 7, 2014, a security vulnerability with servers running the OpenSSL cryptographic library was revealed at Heartbleed.com. The security advisory for this vulnerability is CVE-2014-0160. Esri staff have been performing maintenance to validate, secure, and patch Esri servers and infrastructure to close this vulnerability and ensure Esri customers are protected.
The vulnerable OpenSSL library versions were not used in ArcGIS 10.1 and earlier releases, so these are not affected. Only versions from 10.1 SP1 and later are affected.
Many Esri products include the OpenSSL library, but do not use this library to implement the vulnerable TLS protocol. It is expected that security scans will start flagging the presence of this library based on CVE-2014-0160 even though no actual security issue exists in the specific usage. Esri will be providing software updates to upgrade the OpenSSL library in affected products to eliminate these false positive scans. This technical article is updated as availability dates are set.
CVE-2014-0160 – OpenSSL 'Heartbleed' Vulnerability
Solution or Workaround
Customers should read the summary below to determine the action they should take for their particular ArcGIS products and services. This summary is updated as mitigation activities are completed.
• ArcGIS Online – Mitigations have been applied to all service endpoints and certificates have been re-issued across the platform. As a precautionary measure, Esri encourages users to change passwords for systems where mitigations have been completed, such as ArcGIS Online.
• Managed Services – No customer action is required as the supporting infrastructure was unaffected.
• Esri’s global account systems – No customer action is required as the supporting infrastructure was unaffected.
• ArcGIS for Desktop/Engine – No customer action is required. The vulnerable OpenSSL library is included with ArcGIS Desktop releases 10.1 SP1, 10.2, 10.2.1, and 10.2.2, but it is not utilized in a manner where the vulnerability is exploitable.
• ArcGIS for Server (Windows) – No customer action is required. The vulnerable OpenSSL library is included with ArcGIS Server 10.1 SP1, 10.2, 10.2,1, and 10.2.2, but it is not utilized in a manner where the vulnerability is exploitable.
• ArcGIS for Server (Linux) – Only the print and publishing services are vulnerable for ArcGIS Server 10.2, 10.2.1 and 10.2.2 on Linux. Esri is working on a security patch to address this concern, and in the meantime, these services can be disabled as necessary if utilizing a Linux deployment. A technical article detailing this can be found in KB 42407.
Update April 23, 2014
An OpenSSL (Heartbleed) patch was released which addresses the print and publishing services vulnerability for ArcGIS Server 10.2, 10.2.1, and 10.2.2 on Linux.
• Portal for ArcGIS – No customer action is required.
• Web Gateways – While this is NOT an Esri component, customers utilizing such a system in front of their web services (such as reverse proxy or NAT), operating as the termination point for SSL connections utilizing OpenSSL, should ensure mitigations are put in place according to their vendor’s recommendations.
Update July 7, 2014
Esri released the ArcGIS 10.1 SP1 - 10.2.2 for (Desktop, Engine, Server) OpenSSL Update Patch. This patch addresses non-exploitable instances of the OpenSSL defect, commonly called Heartbleed, that may still exist in ArcGIS 10.1 Service Pack 1 through ArcGIS 10.2.2. While these are non-exploitable instances of OpenSSL, customers who run security scan software on these ArcGIS releases may still see false positives until this software patch has been applied.
• ArcGIS Runtime – No customer action is required. The vulnerable OpenSSL library is included with Runtime WPF/Qt/Java releases 10.1.1, 10.2, 10.2.2, and the iOS/Android/OS X 10.2.2 release, but it is not utilized in a manner where the vulnerability is exploitable.
- FAQ: How are ArcGIS for Server and Portal for ArcGIS affected by CVE-2014-0160 (Heartbleed)?