Select to view content in your preferred language

ArcGIS Enterprise Spring Framework - CVE-2016-1000027

608
2
Jump to solution
05-18-2023 02:06 PM
JoeSaltenberger
New Contributor II

We currently have ArcGIS 10.9 deployed and the vulnerability CVE-2016-1000027 is showing up in our security scans. It looks like all Spring Framework versions prior to 6.x.x have this vulnerability.

Do newer versions of Enterprise (11 or 11.1) use Spring 6.x.x, or is it still a 5.x.x version? If it still uses the 5.x.x version, is ArcGIS Enterprise actually affected by this vulnerability? Thanks.

0 Kudos
1 Solution

Accepted Solutions
JalesM
by Esri Contributor
Esri Contributor

I would recommend sending your security concern to the ArcGIS Trust Center page:
https://trust.arcgis.com/en/security-concern/

View solution in original post

2 Replies
JalesM
by Esri Contributor
Esri Contributor

I would recommend sending your security concern to the ArcGIS Trust Center page:
https://trust.arcgis.com/en/security-concern/

JoeSaltenberger
New Contributor II

That worked, thanks. Summarized response from security team:

In general we don't deserialize either trusted or untrusted data using Spring and we do not use spring to intercept requests. We only use spring for IOC. 

Spring doesn't consider this a bug and did not "fix" it anyway. The context for CVE-2016-1000027 was an intentionally unsafe implementation of the Spring Framework.

The vendor rejects the premise of CVE-2016-1000027 as a vulnerability because it requires explicitly configuring an application to ignore the documented best practices for Spring and to intentionally write an app that accepts and deserializes untrusted data. Spring instead addressed this with documentation.