Problem:  OpenSSL Vulnerability CVE-2014-0160 (Heartbleed)

【解决方案】
Customers should read the summary below to determine the action they should take for their particular ArcGIS products and services. This summary is updated as mitigation activities are completed.


Services • ArcGIS Online – Mitigations have been applied to all service endpoints and certificates have been re-issued across the platform. As a precautionary measure, Esri encourages users to change passwords for systems where mitigations have been completed, such as ArcGIS Online. • Managed Services – No customer action is required as the supporting infrastructure was unaffected. • Esri’s global account systems – No customer action is required as the supporting infrastructure was unaffected.
Desktop Products • ArcGIS for Desktop/Engine – No customer action is required. The vulnerable OpenSSL library is included with ArcGIS Desktop releases 10.1 SP1, 10.2, 10.2.1, and 10.2.2, but it is not utilized in a manner where the vulnerability is exploitable.
Server Products • ArcGIS for Server (Windows) – No customer action is required. The vulnerable OpenSSL library is included with ArcGIS Server 10.1 SP1, 10.2, 10.2,1, and 10.2.2, but it is not utilized in a manner where the vulnerability is exploitable. • ArcGIS for Server (Linux) – Only the print and publishing services are vulnerable for ArcGIS Server 10.2, 10.2.1 and 10.2.2 on Linux. Esri is working on a security patch to address this concern, and in the meantime, these services can be disabled as necessary if utilizing a Linux deployment. A technical article detailing this can be found in KB 42407. Update April 23, 2014 An OpenSSL (Heartbleed) patch was released which addresses the print and publishing services vulnerability for ArcGIS Server 10.2, 10.2.1, and 10.2.2 on Linux. • Portal for ArcGIS – No customer action is required. • Web Gateways – While this is NOT an Esri component, customers utilizing such a system in front of their web services (such as reverse proxy or NAT), operating as the termination point for SSL connections utilizing OpenSSL, should ensure mitigations are put in place according to their vendor’s recommendations. Update July 7, 2014 Esri released the ArcGIS 10.1 SP1 - 10.2.2 for (Desktop, Engine, Server) OpenSSL Update Patch. This patch addresses non-exploitable instances of the OpenSSL defect, commonly called Heartbleed, that may still exist in ArcGIS 10.1 Service Pack 1 through ArcGIS 10.2.2. While these are non-exploitable instances of OpenSSL, customers who run security scan software on these ArcGIS releases may still see false positives until this software patch has been applied.
Runtime SDKs • ArcGIS Runtime – No customer action is required. The vulnerable OpenSSL library is included with Runtime WPF/Qt/Java releases 10.1.1, 10.2, 10.2.2, and the iOS/Android/OS X 10.2.2 release, but it is not utilized in a manner where the vulnerability is exploitable.


【其它相关参考】

1. Heartbleed.com
2. FAQ: How are ArcGIS for Server and Portal for ArcGIS affected by CVE-2014-0160 (Heartbleed)

【创建及修改时间】
Created: 4/10/2014

Last Modified: 7/7/2014
【原文链接】
http://support.esri.com/en/kno ... 42405