Preguntas frecuentes

¿El software ArcGIS es susceptible a CVE-2010-3599?

Last Published: April 29, 2024

Respuesta

Some security tools report that ArcGIS software is susceptible to CVE-2010-3599: An error in the WriteJPG() method in the NCSEcw.dll ActiveX control can be exploited to overwrite arbitrary files or potentially cause a buffer overflow. This issue is found in some versions of NCSEcw.dll, which is used to render Enhanced Compression Wavelet (ECW) raster files.

This is a false positive. Exploiting CVE-2010-3599 requires that NCSEcw.dll be registered as a COM object in Esri software. This DLL is not registered as a COM object in ArcGIS Desktop, ArcGIS Engine, or ArcGIS Enterprise. ECW DLLs used in ArcGIS 10.4 and later do not have the COM interface (the ECW SDK version is 5.2.1 in newer versions.) In older versions of ArcGIS, the ECW 4.x SDK is used; however, the ECW DLLs are not registered nor do they use a COM interface, so this vulnerability is not exploitable from the ArcGIS/GDAL installation.

This can be verified independently. To do so, use the HTML in the appendix of the referenced document to check machines with ArcGIS Desktop and ArcGIS Engine. For example, a test on a machine running ArcGIS 10.2.2 returns the following message:

"NCSEcw.NCSRenderer" was NOT found or was unable to load
Error: Automation server can't create object
System not vulnerable to CVE-2010-3599. No further action required
User-added image

Id. de artículo: 000017723

Recibir notificaciones y encontrar soluciones a problemas nuevos o comunes

Obtenga respuestas resumidas y soluciones de vídeo de nuestro nuevo chatbot de IA.

Descargar la aplicación de soporte de Esri

Información relacionada

Descubrir más sobre este tema

Obtener ayuda de expertos en ArcGIS

Contactar con el soporte técnico

Descargar la aplicación de soporte de Esri

Ir a opciones de descarga