Updated 1/19/18: While this vulnerability is independent of our application code, some of the patches for the vulnerability on Windows 2008R2 and Windows 7 systems result in the ArcGIS Server Geoprocessing service crashing (Error code #8273 will be generated in the log).
We strongly recommend customers use OS versions covered under mainstream support – This type of support from Microsoft ended a little over three years ago for both Windows 2008R2 and Windows 7. The overall security risks of using these older OS versions are significantly higher than the moderate risk security issue the patch for these particular vulnerabilities addresses. While these vulnerabilities have received significant media attention it is important to realize that the severity rating of them is only medium, with a CVSS score of 4.4 out of 10.
Therefore, if your organization is unable to move to an OS version under mainstream support, we recommend waiting on applying MS patches KB4056894, KB4056568, and KB4056897 for only the above specific OS versions until the issue is validated further and patch updates released (moving to a mainstream supported OS version is best as noted above).
If you have already installed one of the OS patches, you can uninstall it and ArcGIS Server will continue working correctly. Customers with enterprise server machines will likely already have access control mechanisms and policies in place preventing all but a small subset of admins from locally accessing these machines. These controls help to reduce the relative risk associated with these flaws until OS vendors and others provide more stable patches for these security issues.
For ArcGIS Online, our cloud infrastructure providers have already patched their services and hosts for these vulnerabilities. What remains are some low risk issues that Esri will patch during our next release.
As additional patches are released which optimize and reduce performance impacts related to this issue, please reach out to your vendor (OS, browser, and database) for additional guidance – We will also continue updating this blog as we confirm more information.
- Esri’s Security Standards & Architecture Team
- New Esri KBA – https://support.esri.com/en/Technical-Article/000017464
- What is Meltdown? – https://blog.cyberus-technology.de/posts/2018-01-03-meltdown.html
- What is Spectre Attack? - https://spectreattack.com/
- AWS Mitigations Performed - https://aws.amazon.com/security/security-bulletins/AWS-2018-013
- MS Azure Mitigations Performed – https://azure.microsoft.com/en-us/blog/securing-azure-customers-from-cpu-vulnerability/
- Vulnerability Risk Rating - https://www.kb.cert.org/vuls/id/584653
- Patch Performance/Stability Issues – https://access.redhat.com/articles/3307751