topic Re: CVE-2019-17267 - FasterXML Jackson-databind in Esri Software Security & Privacy Questions

CVE-2019-17267 - FasterXML Jackson-databind

ToddCopeland — Fri, 07 Jul 2023 15:22:39 GMT

Our IT department came across CVE-2019-17267 related to fasterxml jackson-databind and believe it is linked to GeoEvent Server. This also shows up in our dev environment, ArcGIS Server, and ArcGIS for Portal environments. I should also note we no longer use GeoEvent Server.

Has there been any patches or updates to address this CVE? Is it safe to mark this as an exception?

Any help would be appreciated.

Thank you!

Re: CVE-2019-17267 - FasterXML Jackson-databind

RandallWilliams — Fri, 07 Jul 2023 15:29:58 GMT

Jackson deserialization issues are not exploitable in the Enterprise base enterprise deployment.

In general, if you're not using a given service like Geoevent, you should disable the Geoevent service or uninstall it so that you limit the potential attack surface - but the Jackson-Databind dependency is in ArcGIS Server as well. It'd brought in as a dependency upon dependency of other 3rd party frameworks.

Re: CVE-2019-17267 - FasterXML Jackson-databind

RandallWilliams — Fri, 07 Jul 2023 15:27:37 GMT

If your IA team needs an artifact, they can look this up in our 3rd party CVE response tool. It's in the customer exclusive documents are in the ArcGIS Trust Center.

Re: CVE-2019-17267 - FasterXML Jackson-databind

ToddCopeland — Fri, 07 Jul 2023 20:45:34 GMT

Thank you for the update @RandallWilliams. I'll pass along the information to IT and let you know if we have any further questions.