CVE-2019-17267 - FasterXML Jackson-databind

ToddCopeland · ‎07-07-2023

Our IT department came across CVE-2019-17267 related to fasterxml jackson-databind and believe it is linked to GeoEvent Server. This also shows up in our dev environment, ArcGIS Server, and ArcGIS for Portal environments. I should also note we no longer use GeoEvent Server.

Has there been any patches or updates to address this CVE? Is it safe to mark this as an exception?

Any help would be appreciated.

Thank you!

RandallWilliams · ‎07-07-2023

Jackson deserialization issues are not exploitable in the Enterprise base enterprise deployment.

In general, if you're not using a given service like Geoevent, you should disable the Geoevent service or uninstall it so that you limit the potential attack surface - but the Jackson-Databind dependency is in ArcGIS Server as well. It'd brought in as a dependency upon dependency of other 3rd party frameworks.

View solution in original post

RandallWilliams · ‎07-07-2023

Jackson deserialization issues are not exploitable in the Enterprise base enterprise deployment.

In general, if you're not using a given service like Geoevent, you should disable the Geoevent service or uninstall it so that you limit the potential attack surface - but the Jackson-Databind dependency is in ArcGIS Server as well. It'd brought in as a dependency upon dependency of other 3rd party frameworks.

RandallWilliams · ‎07-07-2023

If your IA team needs an artifact, they can look this up in our 3rd party CVE response tool. It's in the customer exclusive documents are in the ArcGIS Trust Center.

ToddCopeland · ‎07-07-2023

Thank you for the update @RandallWilliams. I'll pass along the information to IT and let you know if we have any further questions.