Bug: ArcGIS for Server is vulnerable to CVE-2014-0224 on Linux
【相关信息】
Article ID: 42654
Bug Id: NIM102,334
Software:
ArcGIS for Server 10.1, 10.2, 10.2.1, 10.2.2, 10.1 SP1
Platforms: N/A
【BUG描述】
ArcGIS for Server is vulnerable to CVE-2014-0224, a vulnerability in OpenSSL. The vulnerability is exploitable when:
ArcGIS for Server is running on Linux
Using the Print Service to access services through https
The services that the print service are using have a reverse proxy that uses a vulnerable OpenSSL in front of it
A hacker sets up a man-in-the-middle component to intercept all https traffic between these two machines.
This vulnerability allows the communication between the print service and the accessed services to be decrypted.
Customers are not vulnerable if they don't use the print service or they don't use a reverse proxy in front of ArcGIS Server or if they use ArcGIS Server on Windows.
A workaround is immediately available and a patch is coming soon.
【BUG原因】
This is due to a vulnerability in OpenSSL.
ArcGIS for Server's internal HTTPS server does not use OpenSSL on any platform.
ArcGIS for Server on Linux uses OpenSSL when making client connections on ArcGIS Server. ArcGIS for Server on Windows uses Microsoft's Windows WinInet library, which is not affected by this.
Article ID: 42654
Bug Id: NIM102,334
Software:
ArcGIS for Server 10.1, 10.2, 10.2.1, 10.2.2, 10.1 SP1
Platforms: N/A
【BUG描述】
ArcGIS for Server is vulnerable to CVE-2014-0224, a vulnerability in OpenSSL. The vulnerability is exploitable when:
ArcGIS for Server is running on Linux
Using the Print Service to access services through https
The services that the print service are using have a reverse proxy that uses a vulnerable OpenSSL in front of it
A hacker sets up a man-in-the-middle component to intercept all https traffic between these two machines.
This vulnerability allows the communication between the print service and the accessed services to be decrypted.
Customers are not vulnerable if they don't use the print service or they don't use a reverse proxy in front of ArcGIS Server or if they use ArcGIS Server on Windows.
A workaround is immediately available and a patch is coming soon.
【BUG原因】
This is due to a vulnerability in OpenSSL.
ArcGIS for Server's internal HTTPS server does not use OpenSSL on any platform.
ArcGIS for Server on Linux uses OpenSSL when making client connections on ArcGIS Server. ArcGIS for Server on Windows uses Microsoft's Windows WinInet library, which is not affected by this.
1 个回复
易智瑞技术支持
赞同来自:
In order to exploit CVE-2014-0224 both the client and the server must use vulnerable versions of OpenSSL. Immediately upgrading the version of OpenSSL on the reverse proxy remediates the problem.
【创建及修改时间】
Created: 6/5/2014
Last Modified: 6/5/2014
【原文链接】
http://support.esri.com/en/kno ... 42654
要回复问题请先登录或注册