Mid-May was a busy month for vulnerabilities being covered by media, so we’ve consolidated information about two of the most broadcasted vulnerabilities here.
VENOM Vulnerability Information:
On May 13, 2015, a hypervisor vulnerability was disclosed CVE-2015-3456 referred to as VENOM that received significant media attention. ArcGIS Online is not hosted within vulnerable cloud infrastructure providers and is therefore not vulnerable itself.
For customers utilizing our products on virtual machines other than Microsoft or VMWare, we recommend checking with your virtual machine vendor for potential patches.
Logjam Vulnerability Information:
On May 20, 2015, a vulnerability was disclosed (CVE-2015-4000) with the cryptographic algorithm Diffie-Hellman key exchange. It is used to allow Internet protocols (such as HTTPS) to agree on a shared key and negotiate a secure connection.
While ArcGIS Online was not vulnerable to utilizing higher risk DHE_Export ciphers, Esri recently disabled a cipher utilizing Diffie-Hellman 1024-bits which had the potential to be vulnerable to more advanced state-level attacks. This is not expected to disrupt access of any current clients to ArcGIS Online.
Logjam has both server and browser-side vulnerabilities, so please ensure your systems are updated as necessary.
– The Security Standards & Architecture Team