ArcGIS Security Update for Flexera CVE-2016-10395

Description

A security vulnerability, CVE-2016-10395, has been reported in FlexNet Publisher versions 11.14.1.0 and earlier that malicious users can exploit to potentially gain escalated privileges to the local system. 

• An Out-of-bounds Read (CWE-125) in the Windows FlexNet Publisher licensing service could be used to alter program flow.
• Successful exploitation may allow execution of arbitrary code with SYSTEM privileges.
• Only the FlexNet Publisher licensing service is vulnerable. All other FlexNet Publisher components (for example, LMGRD or LMADMIN) are not affected.

This Flexera security vulnerability impacts all ArcGIS systems released on Windows from ArcGIS 10.1 and above, including ArcGIS 10.5.1. 

Cause

CVE-2016-10395. For further information, refer to the Related Information section below.

Solution or Workaround

This security issue is fixed in version 11.14.1.2 (FlexNet Publisher 2016 R2 SP2) and is deployed as the ArcGIS Security Update for Flexera CVE-2016-10395.

Please upgrade the FlexNet licensing service using the ArcGIS Security Update for Flexera CVE-2016-10395. This update applies to all affected ArcGIS products and is backward-compatible to ArcGIS version 10.1. 

The update is available for download as QFE-1051-FLEX-361600: ArcGIS Security Update for Flexera CVE-2016-10395, available via the Technical Support web page. 

Steps to Install:
The setup automatically detects and upgrades the FlexNet Publisher licensing service. Please save all work and exit all ArcGIS programs before performing this upgrade. After the upgrade is complete, restart the applications.