ArcGIS Enterprise Spring Framework - CVE-2016-1000027

JoeSaltenberger · ‎05-18-2023

We currently have ArcGIS 10.9 deployed and the vulnerability CVE-2016-1000027 is showing up in our security scans. It looks like all Spring Framework versions prior to 6.x.x have this vulnerability.

Do newer versions of Enterprise (11 or 11.1) use Spring 6.x.x, or is it still a 5.x.x version? If it still uses the 5.x.x version, is ArcGIS Enterprise actually affected by this vulnerability? Thanks.

JalesM · ‎05-18-2023

I would recommend sending your security concern to the ArcGIS Trust Center page:
https://trust.arcgis.com/en/security-concern/

View solution in original post

JalesM · ‎05-18-2023

I would recommend sending your security concern to the ArcGIS Trust Center page:
https://trust.arcgis.com/en/security-concern/

JoeSaltenberger · ‎05-19-2023

That worked, thanks. Summarized response from security team:

In general we don't deserialize either trusted or untrusted data using Spring and we do not use spring to intercept requests. We only use spring for IOC.

Spring doesn't consider this a bug and did not "fix" it anyway. The context for CVE-2016-1000027 was an intentionally unsafe implementation of the Spring Framework.

The vendor rejects the premise of CVE-2016-1000027 as a vulnerability because it requires explicitly configuring an application to ignore the documented best practices for Spring and to intentionally write an app that accepts and deserializes untrusted data. Spring instead addressed this with documentation.