The National Security Agency (NSA) has taken the unusual step of notifying Microsoft about a significant vulnerability (CVE-2020-0601) which Microsoft released a patch for in January. As part of our FedRAMP authorization for ArcGIS Online, we pay close attention to Binding Operational Directives and Emergency Directives issued by the Department of Homeland Security. Due to the publicity of the concern, we have had several customers reach out to us to understand if our offerings are vulnerable, resulting in us posting this summary.
ArcGIS Online customers were not affected by this vulnerability as the Windows servers are not directly exposed to the Internet for external access as part of our offering. Any Windows Servers utilized for ArcGIS Online back-end operations were patched by January 31, 2020 as a security in-depth precaution.
Esri does not embed the affected cryptographic functions within our products but are instead provided as part of your operating system deployment. Customers managing their own ArcGIS Enterprise implementations running affected operating systems should ensure that all MS January 2020 patches are applied ASAP. We have not observed any conflicts with our products and the associated security patches and strongly recommend they are applied across any organization’s operations if applicable (both server and client systems). If your organization utilizes images for cloud deployments, please ensure you update those systems immediately too.
This issue serves as a great reminder of the value of terminating your web service encryption endpoints on a security gateway device in front of your web application services to reduce headaches across your operations. The NSA has provided a great summary concerning the issue and mitigation actions here.
- Esri Software Security & Privacy Team