常见问题

常见问题解答:ArcGIS 软件是否易受 CVE-2010-3599 影响?

Last Published: April 29, 2024

答案

Some security tools report that ArcGIS software is susceptible to CVE-2010-3599: An error in the WriteJPG() method in the NCSEcw.dll ActiveX control can be exploited to overwrite arbitrary files or potentially cause a buffer overflow. This issue is found in some versions of NCSEcw.dll, which is used to render Enhanced Compression Wavelet (ECW) raster files.

This is a false positive. Exploiting CVE-2010-3599 requires that NCSEcw.dll be registered as a COM object in Esri software. This DLL is not registered as a COM object in ArcGIS Desktop, ArcGIS Engine, or ArcGIS Enterprise. ECW DLLs used in ArcGIS 10.4 and later do not have the COM interface (the ECW SDK version is 5.2.1 in newer versions.) In older versions of ArcGIS, the ECW 4.x SDK is used; however, the ECW DLLs are not registered nor do they use a COM interface, so this vulnerability is not exploitable from the ArcGIS/GDAL installation.

This can be verified independently. To do so, use the HTML in the appendix of the referenced document to check machines with ArcGIS Desktop and ArcGIS Engine. For example, a test on a machine running ArcGIS 10.2.2 returns the following message:

"NCSEcw.NCSRenderer" was NOT found or was unable to load
Error: Automation server can't create object
System not vulnerable to CVE-2010-3599. No further action required
User-added image

文章 ID: 000017723

接收通知并查找新问题或常见问题的解决方案

从我们全新的 AI 聊天机器人中获得简明答案和视频解决方案。

下载 Esri 支持应用程序

相关信息

发现关于本主题的更多内容

获取来自 ArcGIS 专家的帮助

联系技术支持部门

下载 Esri 支持应用程序

转至下载选项