While we don’t have a habit of announcing when our products are NOT vulnerable to a specific security issue, sometimes IT teams pounce on the panic button (understandably) when they hear about a new critical vulnerability that hit the media mainstream. Some customers have gone so far as to shut systems down due to Apache Struts vulnerability CVE-2017-5638, and subsequently began asking if the vulnerability was applicable to the ArcGIS Enterprise product line.
Now the good news, ArcGIS Enterprise commercial products under General Availability and even Extended Support are NOT vulnerable to this Apache Struts issue as they do not utilize Apache Struts.
Some customer IT teams did some Google searches and came across an old version of the open-source GeoPortal Server offering which contains Apache Struts. This created some concerns/confusion, however it utilizes an older version of the Struts framework 1.x, which has NOT been confirmed as vulnerable by Apache. If your organization is utilizing GeoPortal Server 1.x, we strongly recommend you migrate to GeoPortal Server version 2.5 as it addresses confirmed security issues not related to Struts. Two additional notes: 1) GeoPortal Server version 2.x does NOT utilize Struts. 2) The open-source GeoPortal Server is a separate code-base from the Esri commercial offering of Portal for ArcGIS. Portal for ArcGIS is a part of the ArcGIS Enterprise family and does not contain Struts.
For future reference, if there is a critical security issue that has broad media attention and we’ve confirmed key products are vulnerable we quickly post such issues here and update as relevant. Please check Trust.ArcGIS.com announcements to get a security sanity check for the ArcGIS platform.
- The Security Standards & Architecture Team