Updated 2/7/18: While this vulnerability is independent of our application code, some of the OS security patches for the vulnerability on Windows 2008R2 and Windows 7 result in some ArcGIS products using Geoprocessing to fail.
As of the above date, MS has released a patch to disable the Spectre security patch as the Intel portion of the patch was recalled last week due to system instabilities. You might want to steer clear of these patches until the CPU and OS vendors iron out significant wrinkles.
We strongly recommend customers use OS versions covered under mainstream support – This type of support from Microsoft ended a little over three years ago for both Windows 2008R2 and Windows 7. The overall security risks of using these older OS versions are significantly higher than the moderate risk security issue the patch for these particular vulnerabilities addresses. While these vulnerabilities have received significant media attention it is important to realize that the severity rating of them is only medium, with a CVSS score of 4.4 out of 10.
For organizations unable to move to an OS version under mainstream support, we have released patches for each of the ArcGIS products affected as seen in the References section below (moving to a mainstream supported OS version is still drastically better from a security perspective as noted above).
If you have already installed one of the OS patches, you can uninstall it and the ArcGIS products will continue working correctly. Customers with enterprise server machines will likely already have access control mechanisms and policies in place preventing all but a small subset of admins from locally accessing these machines. These controls help to reduce the relative risk associated with these flaws until patches are available for your specific configuration.
For ArcGIS Online, our cloud infrastructure providers have already patched their services and hosts for these vulnerabilities. What remains are some low risk issues that Esri will patch during our next release.
– Esri’s Security Standards & Architecture Team
References:
- ArcGIS Server Patch – https://support.esri.com/en/download/7576
- ArcGIS Desktop/Engine – https://support.esri.com/en/download/7579
- ArcGIS Runtime – https://support.esri.com/en/download/7580
- Esri KBA – https://support.esri.com/en/Technical-Article/000017464
- What is Meltdown? – https://blog.cyberus-technology.de/posts/2018-01-03-meltdown.html
- What is Spectre Attack? – https://spectreattack.com/
- AWS Mitigations Performed – https://aws.amazon.com/security/security-bulletins/AWS-2018-013
- MS Azure Mitigations Performed – https://azure.microsoft.com/en-us/blog/securing-azure-customers-from-cpu-vulnerability/
- Vulnerability Risk Rating – https://www.kb.cert.org/vuls/id/584653
- Patch Performance/Stability Issues – https://access.redhat.com/articles/3307751
Article Discussion: