License Manager Security Update

ArcGIS License Manager is built with a third party software component called Flexera FlexNet Publisher. Recently, a CVE (CVE-2015-8277) was released detailing buffer overflow vulnerabilities associated with Flexera FlexNet Publisher.  Esri is providing ArcGIS 10.4 License Manager to resolve these Flexera-based vulnerabilities.

Vulnerability Details:  

Flexera FlexNet Publisher contains a buffer overflow vulnerability that could allow remote code execution – (CWE-130)

A remote unauthenticated attacker may be able to execute arbitrary code or perform a denial of service by exploiting a buffer overflow vulnerability in affected servers. The CVE (CVE-2015-8277) associated with this vulnerability is still undergoing analysis however the Vulnerability Note issued by US CERT has given this vulnerability a CVSS base score of 10.0 (HIGH)

Note: Keep in mind that CVSS base scores do not include temporal or  environmental organization-specific factors for calculation. As a best practice, Esri recommends not exposing License Manager externally. Assuming ArcGIS License Manager is not exposed externally and not accessible anonymously, this lowers the CVSS score to 6.8 (MEDIUM)

Mitigating Measures:

Esri recommends downloading and installing ArcGIS 10.4 License Manager immediately for all customers that use concurrent licensing while removing their current ArcGIS License Manager. The ArcGIS 10.4 License Manager can be downloaded from My Esri and is available within the ArcGIS for Desktop, ArcGIS Engine, and ArcGIS for Server products. Contact your primary maintenance contact for access to My Esri if you are not authorized to download Esri software. The ArcGIS 10.4 License Manager is compatible with all ArcGIS releases from ArcGIS 10.0 through ArcGIS 10.4. For more information on affected versions, please see the details in the associated Knowledge Base Article.

References:  

CVE-2015-8277

Esri Knowledge Base Article 46334

CWE-130: Improper Handling of Length Parameter Inconsistency

US CERT Vulnerability Note VU#485744

The Security Standards and Architecture team

This entry was posted in ArcGIS Enterprise, Security and tagged , , , , . Bookmark the permalink.

Leave a Reply

10 Comments

  1. danielri says:

    Great Idea…lets just publish this on a public web site and NOT emailing the software owners directly. It is not like you don’t have a site called my.esri.com where you could have determined who the primary software contacts for each organization were.

    Just saying….

    • Michael Young says:

      Hi Danielri,
      Over the last several years, Esri has established a primary avenue for keeping customers aware of security issues, specifically the Trust.ArcGIS.com website. We welcome you checking it out. With this site, our customers have just one place to go for awareness of the latest security issues/concerns, and even being able to subscribe to the announcement RSS feed for staying up to date. If the issue was considered a critical security concern for our customers, we would have also notified our customers directly, but that is not the case for this issue as it is typically a moderate security risk for ArcGIS deployments. Lastly, you will be happy to know that we are transitioning the announcements of the Trust site to GeoNet later this year. We welcome ideas for improving the communication of product security concerns for our customers that you can submit directly to us via the Trust site “Report a Security Concern”.

    • zhart says:

      I’d continue to agree with @danielri
      There should be email alerts sent to primary contacts about something as important as security risks. I can go to the ESRI blogs and read about new software releases, but you still email me about those. Where’s the logic here?

      • Michael Young says:

        As mentioned previously, for critical security issues Esri notifies customers directly, in addition to the information posted to Trust.ArcGIS.com. Our security team’s goal is to send focused email to the people who need it and not inundate the primary contact with emails of non-critical security issues. We have thought about adding a separate primary security contact for each organization that could choose to receive all Trust site security announcements via email, and welcome your thoughts on that. As opposed to creating a lengthy blog thread on this topic, feel free to use the “Report a Security Concern” link as mentioned above.

  2. danielri says:

    How come this is not on GeoNet?

  3. gherbert_maulfoster says:

    So do you need to uninstall the existing License Manager first or will an upgrade in place address this issue?

    • Matt Lorrain says:

      Hi gherbert_maulfoster,

      An in-place upgrade will work. It is recommended that the service.txt file and Options file (if applicable) be backed up before upgrading although the information should carry across. Simply run the 10.4 installer and nothing special outside of the normal upgrade process is needed, which is documented in the install guides.

  4. jwfsmith says:

    How about telling us where we can download the 10.4 license manager? it’s not apparent in this article and does not appear in the KB article either.

    • Matt Lorrain says:

      Hi jwfsmith,

      Thanks for the feedback. Customers can download ArcGIS 10.4 License Manager from MyEsri. The blog and KB article will be updated to provide this information. Thanks.