Skip navigation
All Places > Esri Software Security & Privacy > Blog

A new Windows-based application has been created by a malicious individual or group that uses the the online map posted by John Hopkins University at https://coronavirus.jhu.edu/map.html as a decoy for installing Malware.Michael Young has written a blog describing this issue.

 

Bottom-line, you are fine browsing the Coronavirus dashboard on the web with your browser as no software needs to be downloaded.  If you come across someone offering a Coronavirus dashboard where you need to download software to view it, don’t use it!

 

You'll find this blog titled "Coronavirus Downloadable Malware Map App Clarification" in the 'Alerts and Announcements' section on the front page of the ArcGIS Trust Center.

Esri’s Software Security and Privacy team is often called by both current and prospective customers to provide assurance as to the kinds of controls we’ve implemented to help keep your data and our infrastructure safe. Esri has provided a detailed list of answers to questions related to the security of the ArcGIS Online platform for security professionals in the form of the CAIQ Answers document. Esri’s CAIQ response document provides a set of 295 yes or no questions a cloud consumer or cloud auditor may wish to ask of a cloud provider. You’ll find this document (along with many others) in the Documents tab in the ArcGIS Trust Center. 

 

The CAIQ is a survey provided by theCloud Security Alliance(CSA) for cloud solution consumers and auditors to assess the security capabilities of a cloud service provider like ArcGIS Online. The CAIQ was developed to create commonly accepted industry standards to document how service providers like Esri implement security controls in infrastructure-as-a-service (IaaS), platform-as-a-service and (PaaS)/or software-as-a service (SaaS) applications.  

 

The CAIQ questionnaire is designed to support organizations when interacting with cloud provider during the cloud provider assessment process by giving organizations specific questions to ask about provider operations and processes. The CAIQ is part of the CSA governance, risk management and compliance stack. 

 

The CSA is a “not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing”. 

 

A wide range of industry security practitioners, corporations, and associations participate in this organization to achieve its mission. Esri began providing answers for the CSA CCM (133 questions) in 2013, and in 2019 shifted to utilizing the more extensive (CAIQ) with 295 questions/answers.  

 

ArcGIS Online is audited annually by a 3rd party assessor to ensure alignment with its Federal Risk and Authorization Management Program (FedRAMP) Tailored Low Authority to Operate (ATO) by the United States Department of Interior.  

 

For more information concerning the security, privacy and compliance of ArcGIS Online please see the Trust Center at: https://Trust.ArcGIS.com. 

 

ArcGIS Online utilizes the World-Class Cloud Infrastructure of Microsoft Azure and Amazon Web Services, both of which have completed the CSA questionnaires for their capabilities and may be downloaded from the CSA Registry located at: https://cloudsecurityalliance.org/star/#_registry 

 

Our responses to these questions meet Level 1 self-assessment requirements for the CSA’s Security Trust Assurance and Risk (STAR) Program. 

 

For a more lightweight set of answers, a basic overview of ArcGIS Online security (2-page flyer) is available within the Trust Center documents. Some basic, recurring customers questions include:  

 

  • Where is my data hosted? Within AWS and MS Azure datacenters on US Soil. (CAIQ ID: BCR-032.2, DSI-01.1) 

 

  • Is my data encrypted at rest and in transit? Yes, new organizations use HTTPS w/TLS 1.2 for in-transit and AES-256 at rest. (CAIQ ID: EKM-03.1) 

 

  • Is my data backed up? Customers are responsible for backing up their datasets.  (CAIQ ID: DSI-04.1) 

 

  • Can I do security tests against ArcGIS Online? Yes, however a Security Assessment Agreement (SAA) must be completed first.  

 

  • Are my files scanned with Anti-virus? Yes – Files containing malicious code are rejected from upload. (CAIQ ID: CCC-04.1) 

 

  • What privacy assurance is in place? ArcGIS Online is Privacy-Shield self-certified, and both GDPR/CCPA aligned. (CAIQ ID: GRM-06.4) 

 

For any questions/concerns/feedback please contact Esri’s Software Security & Privacy Team at: SoftwareSecurity@Esri.com 

 

 

References: 

https://cloudsecurityalliance.org/ 

https://searchcloudsecurity.techtarget.com/definition/CAIQ-Consensus-Assessments-Initiative-Questionnaire 

https://blog.whistic.com/5-of-the-top-questionnaires-for-it-vendor-assessments-e1fc5b927eb9 

A new Tomcat CVE (CVE-2020-1938) referred to as 'Ghostcat' has a lot of users asking how Esri software is affected.

 

Michael Young has written a blog describing how users may be impacted and offers guidance for customers who deploy the Java version of the ArcGIS Web Adaptor on Tomcat or use Apache httpd along with Tomcat in a reverse proxy solution.  

 

You'll find this blog titled "Don't get Bitten by GhostCat Tomcat Vulnerability"in the 'Alerts and Announcements' section on the front page of the ArcGIS Trust Center.

Users are asking us how ArcGIS Enterprise may be affected by Microsoft blocking unsigned LDAP communication in Active Directory starting in March 2020.

 

ArcGIS Enterprise itself is not affected by this as long as connections to active directory can be made using LDAPS (port 636). To meet this requirement, be sure that LDAPS is available on your Active Directory servers.

 

However, *if* your organization is using the Java Web adaptor (which itself requires a J2EE server like Tomcat/Glassfish/Weblogic etc) and you’re using web tier authentication and Active Directory, then the J2EE application server must itself be configured to connect to the directory server using LDAPS.

 

Even if ArcGIS Enterprise is configured to use LDAP over plaintext port 389, it will attempt to first connect via LDAPS (port 636) first regardless. Front end application servers are unlikely to follow this pattern and will communicate with the directory server as literally configured.

Microsoft released a patch in January for a critical issue in the Microsoft WIndows CryptoAPI (CVE-2020-0601).

 

Michael Young has provided Esri's response to how our products are impacted and the steps we've taken to keep you safe. 

 

You'll find this statement in the 'Alerts and Announcements' section of the ArcGIS Trust Center.

The ArcGIS Online (AGO) Security Advisor has been updated.  For information regarding this product, see the ArcGIS Online Security Advisor story map.  You can launch the app from the ArcGIS Trust Center.  See the release notes below!

This release focuses on the up coming AGO HTTPS only enforcement September 2020. The HTTP Check is no longer beta and supports processing up to 1000 content items by analyzing the item page and the item's data information (if it can be handled as JSON - the HTTP Checker's help page identifies the content data types that are not processed). Improvements will be made as needed.

Use the search by just pressing the 'enter' key to scan all available items or enter keywords into the search filter to focus on specific content items. For more information, check out the HTTP Checker's help content once you've logged into the application.

The AGO HTTPS only enforcement is expected to be implemented in September 2020.

v2.0.4 - 2019/DEC/06

HTTP Check

  • No longer Beta. Further improvements will be made as needed.
  • Corrected issue that would prevent item page info from being processed and results displayed if there was an issue with that item's data information.
  • Increased processing count to first 1000 items (up from 100).
  • UI Updates
  • Help text updated.

Application Changes

  • Click on visitor page footer version number to view release notes.
  • Adjusted text on visitor page to highlight that the advisor is not officially supported through Esri but is offered and maintained by the Esri Software Security & Privacy Team. Provided email address for questions.
  • Adjusted the left side navigation menu to float and move with screen scroll.
  • Updated bootstrap, jquery and arcgis javascript libraries to current versions.

Settings Advisor

  • Policy message updated to include warning text when Social Logins is enabled.

 

Regards,

Esri Software Security & Privacy Team

AGO Security Advisor - https://arcg.is/ago-advisor

The installed help documents for ArcGIS Enterprise are provided for everyone anonymously. The content is not sensitive, and can be easily found on the web. Sometimes however, organizations have policies that require that any website under thier authority require authentication for all endpoints, and that can cause a challenge for site managers whose only other path is to seek an exclusion. 

 

For those users, there is a potential work around that can be explored, and that's to implement web tier security specifically for the help docs. Here's how that's done.

 

First, open windows explorer and drill down to where your Portal or Server web adaptor is installed. For this example we'll use 'Portal'. 

 

Inside (for example) c:\inetpub\wwwroot\portal\, create a new folder called "portalhelp"

 

Next, open IIS manager. Drill down to the website that hosts your web adaptor, and find the 'portalhelp' folder. 

 

Finally, use the IIS 'Authentication' feature to disable anonymous access and enable windows authentication. 

 

Now when users attempt to access the help documentation, they'll need to provide windows credentials.

 

 

 Image describes using the IIS Authentication feature to secure a "portalhelp" virtual directory you create.

The California Consumer Privacy Act (CCPA) is almost month away. This is the equivalent of Europe’s General Data Protection Regulation(GDPR) dealing with consumer privacy.

What is it?

The law gives consumers broad new privacy rights and mandates how companies must manage, store and use customer data. Because of this large scope and the state’s important role in the US economy, this law is bound to impact marketing organizations across the entire US and beyond if they manage data on California residents.

So, what is going to change you ask?

This is similar to GDPR, the CCPA will require organizations to manage the personal data of 12% of Americans in a whole new way. Consumer data collection will become much more complex and data privacy will become a significant issue. Beginning in January 2020, new obligations are going to require organizations to:

  1. Disclose to consumers what data  is being collected and with whom it is shared or sold,
  2. Stop selling data if the consumer requests it,
  3. Delete data if the consumer requests it,
  4. Obtain explicit data collection opt-in for minors under the age of 16,
  5. Obtain parental consent for minors under the age of 13,
  6. Provide an easy mechanism for consumers to exercise their rights, including a free phone number and a prominent mechanism on their website explicitly labeled “Do Not Sell My Personal Information.”

Under CCPA, if consumers choose to exercise any of these rights, companies may not charge a higher price or offer a lower level of service (within reason).

NOTE: Esri is currently working on ensuring alignment by enforcement 1/1/2020. If you have any questions regarding  privacy with Esri products and services, please reach out to the Esri Software Security and Privacy @ Software_Security@esri.com 

Additional information regarding CCPA.

The Arcgis License Manager 2019.0 is available.

 

This update addresses several vulnerabilities in Flexera FlexNet Publisher that are exploitable prior to FlexNet Publisher 11.16.2.

 

The ArcGIS License Manager 2019.0 uses FLEXnet Publisher 11.16.2.1.

 

Versions of Flexera FlexNet Publisher prior to 11.16.2 are affected by multiple vulnerabilities:

 

  • A Denial of Service vulnerability related to preemptive item deletion in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor daemon to stop, and the vendor daemon to shut down. (CVE-2018-20031)

 

  • A Denial of Service vulnerability related to message decoding in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor daemon to stop, and the vendor daemon to shut down. (CVE-2018-20032)

 

  • A Remote Code Execution vulnerability in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier could allow a remote attacker to corrupt the memory by allocating / deallocating memory, loading lmgrd or the vendor daemon and causing the heartbeat between lmgrd and the vendor daemon to stop. This would force the vendor daemon to shut down.
    (CVE-2018-20033)

 

  • A Denial of Service vulnerability related to adding an item to a list in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor daemon to stop, and the vendor daemon to shut down. (CVE-2018-20034)

 

The ArcGIS License Manager 2019.0 is compatible with the ArcGIS software versions described in the License Manager Guide.

 

Esri encourages all users to upgrade to ArcGIS License Manager 2019.0 to address these security concerns.

 

FAQ: What version of FLEXnet Publisher is used in ArcGIS License Manager?

A new repository of documents is now available exclusively for users who have subscribed to an ArcGIS account.

 

The Esri Software Security and Privacy team is proud to announce a new, exclusive document repository now available on the ArcGIS Trust Center at https://trust.arcgis.com. 

 

This repository requires that users log in with their Esri Account. Inside you'll find a growing catalog of detailed information designed to assist users and admins of Esri software understand implementation aspects that have impacts on security related domains.

 

We have a number of documents in the pipeline that we'll add here as we continue to grow this area.  Our goal is to both regularly publish new content and to update the existing content to meet the security and compliance needs of our customers.

 

We look forward to your feedback!

In Esri PSIRT, we get a LOT of questions. Some questions we see more frequently than others - like folks wondering where your data goes when you publish to ArcGIS Online, or where to go to ask other questions. 

 

We've documented many security, privacy, and compliance information over on our ArcGIS Trust Center.

 

Here are a few examples of some frequently asked questions, with some pointers on where to find references to support these answers. 

 

The first set of questions we're usually asked is along the lines of:

 

Q: Do you house the servers where ArcGIS Online is hosted?

Q: If not, do you have a third party such AMAZON, Microsoft that handles this for you?

 

This is an example of a question that's documented in DCS-04 in the ArcGIS.com Cloud Security Alliance Controls Matrix. The controls documented in the Cloud Security Controls Matrix map to NIST SP 800-53 and ISO/IEC 27001:2013, and cover a great many aspects of ArcGIS Online.

 

Q: What else can you share from a security, privacy, or compliance stand point?

 

We've accumulated a good bit of information for our customers. In fact, we curate https://trust.arcgis.com, which is a repository for knowledge regarding security, compliance, and privacy. Of particular note is our 'documents' section, found here: https://trust.arcgis.com/en/documents/.

 

Customers should know that ArcGIS Online is a FedRAMP Tailored Low authorized solution by the United States Department of Agriculture (USDA). This includes the requirement to adhere to robust continuous monitoring requirements and security controls are reviewed at a minimum of every three (3) years.

 

Q: Who can I reach out to to obtain additional or more granular information if I don't see it on the ArcGIS Trust Center?

 

Esri's PSIRT is here to help. If we're missing something on the Trust Center, let us know. We'll answer your question and update our docs.

 

Let us know how else we can help!

ArcGIS Enterprise security patches have been released for ArcGIS Server and Portal for ArcGIS..

ArcGIS Server Security 2019 Update 1 Patch

Portal for ArcGIS Security 2019 Update 1 Patch

 

You'll notice a new addition to our patch pages - CVSS base scoring and vector parameters

 

CVSS is a way that software security professionals come quantify risks associated with software security issues. Next to each patch above we list the highest risk addressed, moderate risk security issues are addressed by the Server patch and a high risk issue is addressed by the Portal patch.

 

We strongly suggest users patch their systems to address these security concerns.

In the last blog I wrote, I described ways to test desktop apps, operating systems, and Java installs to validate they were correctly sending requests to ArcGIS Online in order to validate that your apps will continue to function after TLS 1.0 and 1.1 are no longer supported after April 16, 2019.

 

Some users have expressed concern related to their mobile apps – older Android or iOS devices may not natively have support for TLS 1.2 enabled. Android fully supports TLS 1.2 starting at Android 5 (Lolipop), but custom Android apps may have enabled support for TLS 1.2 for Android 4.1.

 

Starting an iOS 9, Apple introduced App Transport Security, which enforces TLS 1.2 for most apps – but it’s possible that some vendors may have globally disabled or created domain exceptions for this feature.

 

All that’s well and good, but for the person who’s responsible for making sure apps are going to work, what does this mean? Is there a painless way that an app or device’s TLS 1.2 compatibility can be quickly validated?

 

Happily, the answer is yes, and just like in the last blog, we can use the Fiddler web debugging proxy to validate!

 

Because Fiddler won’t run natively on a mobile OS, there’s a bit of setup we need to do before we can validate.

 

First, go ahead and install Fiddler on a Windows machine. While there is a beta version of Fiddler for Linux, we’ll test with Windows.

 

Once it’s installed, we’ll need to gather some information set some options.

 

Next, if you don’t already know it, you’ll want to take note of your Windows machine hostname and IP address. You can get those details by opening a Windows console and entering the HOSTNAME and IPCONFIG commands like in the example below (details redacted to protect the innocent). These details will be used later.

 

Figure 1: Ipconfig and Hostname

IPCONFIG AND HOSTNAME COMMANDS

Once you have those details, open Fiddler and navigate to tools>options. Enable the option to allow remote computers to connect and keep the rest of the results.

 

Figure 2: Fiddler Connections options

Fiddler connection options

 

Next, click the ‘HTTPS’ tab. By default, the ‘Decrypt HTTPS traffic’ option is unchecked, but if you’ve used Fiddler to debug HTTPS traffic already, this option may be enabled.

 

Figure 3: Fiddler HTTPS options

fiddler https options

 

Next, you’ll want to configure your mobile device to push your web traffic through the Fiddler proxy.

 

To do this, your mobile device will need to use WIFI and be on the same local network as your Windows machine.

I have an iOS device I’m testing with, but the instructions for configuring your device to use a proxy should be similar.

 

Your favorite search engine should be able to assist with specifics.

 

In my case, once I’ve joined the WIFI, I click on the WIFI connection and scroll down to ‘Configure Proxy’

 

Figure 4: WIFI proxy configuration

configure device to use proxy

 

Once in the ‘Configure Proxy’ dialog, enable ‘Manual’ configuration, and populate the Server and Port settings.

Populate the ‘Server’ value with the hostname or IP address of the machine where Fiddler is running. By default, Fiddler listens on port 8888.

 

Figure 5: WIFI proxy configuration

device proxy config

Once that’s complete, you’re ready to test! Open your app and connect to your test resource.

 

Assuming your’re watching the Fiddler console, you’ll start to see your WIFI traffic being routed through the Fiddler proxy.

 

Click on one of the sessions that was captured that represents the endpoint you’re connecting to. In my case, I’m connecting to an internal ArcGIS Enterprise instance I maintain.

 

After you’ve selected a session, in Fiddler, click on the ‘Inspectors’ tab, and then the ‘Headers’ subtab. You’ll want to have a quick check to make sure that the Client is your mobile browser or app instead of a desktop browser or app. Typically Esri clients indicate “Esri” or “ArcGIS” for the user-agent.

 

Figure 6: Confirm user-agent in Fiddler Headers tab

review user-agent

 

After you’ve checked the user-agent and are sure you’re reviewing the correct traffic, click the ‘TextView’ tab. Just like before, you can review the TLS version that the client is using.

 

Here I’m satisfied that my iOS browser is creating sessions to my server using TLS 1.2.

 

Figure 7: TLS version in Fiddler TextView tab

fiddler textview tab

 

Hopefully this workflow can help users who require an additional level of validation with mobile apps they use.

As has been announced, Esri will soon remove support for TLS 1.0 and TLS 1.1 on ArcGIS Online. Esri has provided test endpoints that users can work with to check that their applications will continue to function as expected.

 

However, in some cases users have questions about legacy or custom apps or may want to understand how their apps behave when abstracted away from the tools that Esri has provided.

 

Fortunately, you can test your apps prior to the current cutoff date April 16, 2019 without the test endpoints Esri has provided. To do this, we’ll use the Fiddler web debugging tool.

 

Fiddler is a powerful web debugging tool that allows users to view and manipulate web sessions, and also gives us a LOT of insight into what’s happening under the hood.

 

Let’s compare a patched instance of ArcGIS Desktop against an unpatched instance so that we can see the difference first hand.

 

First, we’ll want to download and install the Fiddler tool.

 

Once installed, we’ll want to take the default options.

If you’re already familiar with Fiddler, open the Options dialog, click the HTTPS tab, and uncheck the ‘Decrypt HTTPS Traffic’ option.

default fiddler settings

 

Next, configure your app. If you’re working with ArcGIS Desktop or an application that uses .Net to manage outbound internet (WinINET), fiddler should configure Internet Explorer’s proxy options for you. If you’re testing a JAVA app, your app will need to support the ability to use an outbound proxy and be configured to do so. By default, Fiddler listens on the localhost interface on port 8888.

 

In this case, since I’m comparing ArcGIS Desktop, I know that I don’t need to configure an outbound proxy for this test to work.

 

For this test, I’ll compare the ArcGIS Online search capability in ArcCatalog.

 

  • Open ArcCatalog
  • From the File menu, click ‘sign in’ 
  • From the Windows menu, click the ‘Search’ option:

 

search

  • In the Search pane, select ‘ArcGIS Online’

 

online

  • Open Fiddler
  • Enter a term in the Catalog search box. Anything will do.

 

anything

  • Click the magnifying glass to search.
  • Check Fiddler. Select a session in fiddler:

 

 

  • On the right side, under the ‘Inspectors’ tab, click the ‘Textview’ subtab. Check for the TLS version:

 

 

  • Note that I can see that I’m using TLS 1.2 in my outbound communication – which makes sense, my instance of ArcGIS Desktop is patched!!
  • But what if it’s unpatched, or I don’t know, or I’m curious, or I’ve modified this workflow slightly to test some app OTHER than ArcGIS Desktop? What will that look like? In that case, Fiddler won’t tell us that the app is using TLS 1.2. Instead, it’ll state something else in this case, TLS 1.0.

 

 

Hopefully this helps provide some ideas as to how you can test and troubleshoot your own applications, as well as potentially validate some of ours. 

 

Best,

 

Randall

ArcGIS Data Store 10.6.1 Security Update 1 Patch released!

This patch resolves a security vulnerability, within the intranet, that allows remote code execution using elevated privileges on the operating system on which the tile cache data store is installed and configured.

 

Description

 

Esri® announces the ArcGIS Data Store 10.6.1 Security Update 1 Patch. This patch addresses a security vulnerability within the intranet that allows remote code execution using elevated privileges on the operating system on which the tile cache data store is installed and configured. Esri strongly encourages all customers with ArcGIS Enterprise to install this patch at the earliest possible opportunity. It deals specifically with the issues listed below under Issues Addressed with this patch.

The ArcGIS Data Store 10.6.1 Security Update 1 Patch cannot be uninstalled from the tile cache data store using the patch remove utility. As such, see the uninstall instructions to reset the ArcGIS Data Store to the pre-patch state if needed.

Esri recommends users working with older versions of ArcGIS Enterprise upgrade to 10.6.1 to apply this patch. A fix for this issue is built into ArcGIS Enterprise 10.7.