The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of ArcGIS for Desktop

computer vulnerability CVE-2015-2000 CVE-2015-2001 CVE-2015-2002

Android: privilege escalation via Serialization

Synthesis of the vulnerability

A local attacker, or a malicious application, can thus use the Serialization on Android OS, in order to escalate his privileges.
Impacted products: Android Applications ~ not comprehensive, ArcGIS for Desktop, Android OS, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user account.
Number of vulnerabilities in this bulletin: 8.
Creation date: 12/08/2015.
Identifiers: CVE-2015-2000, CVE-2015-2001, CVE-2015-2002, CVE-2015-2003, CVE-2015-2004, CVE-2015-2020, CVE-2015-3825-REJECT, CVE-2015-3837, VIGILANCE-VUL-17645.

Description of the vulnerability

A Java class can:
 - be serializable, and
 - contain a finalize method, and
 - contain an attacker-controlled field

However, in this case, an attacker can change the attribute, and thus inject code which is run during the finalize() method by the Android garbage collector.

There are several Java classes with the three required characteristics:
 - the OpenSSLX509Certificate class of Android OS (CVE-2015-3825, CVE-2015-3837)
 - classes from the SDK Jumio (CVE-2015-2000), used by applications built with this SDK
 - classes from the SDK MetaIO (CVE-2015-2001), used by applications built with this SDK
 - classes from the SDK PJSIP PJSUA2 (CVE-2015-2003), used by applications built with this SDK
 - classes from the SDK GraceNote GNSDK (CVE-2015-2004), used by applications built with this SDK
 - classes from the SDK MyScript (CVE-2015-2020), used by applications built with this SDK
 - classes from the SDK esri ArcGis (CVE-2015-2002), used by applications built with this SDK

A local attacker, or a malicious application, can thus use the Serialization on Android OS, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert 17236

ArcGIS for Desktop, Server: multiple Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger some Cross Site Scripting of ArcGIS for Desktop, Server, in order to execute JavaScript code in the context of the web site.
Impacted products: ArcGIS for Desktop, ArcGIS for Server.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 25/06/2015.
Identifiers: VIGILANCE-VUL-17236.

Description of the vulnerability

The ArcGIS for Desktop, Server product offers a web service.

However, it does not filter received data before storing them then inserting them in generated HTML documents.

An attacker can therefore trigger some Cross Site Scripting of ArcGIS for Desktop, Server, in order to execute JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2014-0160

OpenSSL: information disclosure via Heartbeat

Synthesis of the vulnerability

An attacker can use the Heartbeat protocol on an application compiled with OpenSSL, in order to obtain sensitive information, such as keys stored in memory.
Impacted products: Tomcat, ArubaOS, i-Suite, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, ARCserve Backup, ASA, Cisco Catalyst, IOS XE Cisco, Prime Infrastructure, Cisco PRSM, Cisco Router, Cisco CUCM, Cisco IP Phone, Cisco Unity ~ precise, XenDesktop, Clearswift Email Gateway, Clearswift Web Gateway, Debian, ECC, PowerPath, ArcGIS ArcView, ArcGIS for Desktop, ArcGIS for Server, Black Diamond, ExtremeXOS, Summit, BIG-IP Hardware, TMOS, Fedora, FortiClient, FortiGate, FortiGate Virtual Appliance, FortiOS, FreeBSD, HP Diagnostics, LoadRunner, Performance Center, AIX, WebSphere MQ, IVE OS, Juniper J-Series, Junos OS, Junos Pulse, Juniper Network Connect, Juniper SA, Juniper UAC, LibreOffice, McAfee Email Gateway, ePO, GroupShield, McAfee NGFW, VirusScan, McAfee Web Gateway, Windows 8, Windows RT, MySQL Enterprise, NetBSD, OpenBSD, OpenSSL, openSUSE, Opera, Solaris, pfSense, HDX, RealPresence Collaboration Server, Polycom VBP, Puppet, RHEL, RSA Authentication Manager, SIMATIC, Slackware, Sophos AV, Splunk Enterprise, Stonesoft NGFW/VPN, stunnel, ASE, OfficeScan, Ubuntu, Unix (platform) ~ not comprehensive, ESXi, VMware Player, vCenter Server, VMware vSphere, VMware vSphere Hypervisor, VMware Workstation, Websense Email Security, Websense Web Filter, Websense Web Security.
Severity: 3/4.
Consequences: data reading.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 08/04/2014.
Identifiers: 1669839, 190438, 2076225, 2962393, c04236102, c04267775, c04286049, CA20140413-01, CERTFR-2014-ALE-003, CERTFR-2014-AVI-156, CERTFR-2014-AVI-161, CERTFR-2014-AVI-162, CERTFR-2014-AVI-167, CERTFR-2014-AVI-169, CERTFR-2014-AVI-177, CERTFR-2014-AVI-178, CERTFR-2014-AVI-179, CERTFR-2014-AVI-180, CERTFR-2014-AVI-181, CERTFR-2014-AVI-198, CERTFR-2014-AVI-199, CERTFR-2014-AVI-213, cisco-sa-20140409-heartbleed, CTX140605, CVE-2014-0160, CVE-2014-0346-REJECT, DSA-2896-1, DSA-2896-2, emr_na-c04236102-7, ESA-2014-034, ESA-2014-036, ESA-2014-075, FEDORA-2014-4879, FEDORA-2014-4910, FEDORA-2014-4982, FEDORA-2014-4999, FG-IR-14-011, FreeBSD-SA-14:06.openssl, Heartbleed, HPSBMU02995, HPSBMU03025, HPSBMU03040, ICSA-14-105-03, JSA10623, MDVSA-2014:123, MDVSA-2015:062, NetBSD-SA2014-004, openSUSE-SU-2014:0492-1, openSUSE-SU-2014:0560-1, openSUSE-SU-2014:0719-1, pfSense-SA-14_04.openssl, RHSA-2014:0376-01, RHSA-2014:0377-01, RHSA-2014:0378-01, RHSA-2014:0396-01, RHSA-2014:0416-01, SA40005, SA79, SB10071, SOL15159, SPL-82696, SSA:2014-098-01, SSA-635659, SSRT101565, USN-2165-1, VIGILANCE-VUL-14534, VMSA-2014-0004, VMSA-2014-0004.1, VMSA-2014-0004.2, VMSA-2014-0004.3, VMSA-2014-0004.6, VMSA-2014-0004.7, VU#720951.

Description of the vulnerability

The Heartbeat extension of TLS (RFC 6520) provides a keep-alive feature, without performing a renegotiation. It exchanges random data in a payload.

Version 1.0.1 of OpenSSL implements Heartbeat, which is enabled by default. The [d]tls1_process_heartbeat() function manages Heartbeat messages. However, it does not check the size of random data, and continues to read after the end of the payload, and then sends the full memory area (up to 64kb) to the peer (client or server).

An attacker can therefore use the Heartbeat protocol on an application compiled with OpenSSL, in order to obtain sensitive information, such as keys stored in memory.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2013-5221 CVE-2013-5222 CVE-2013-7231

ArcGIS for Server: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of ArcGIS for Server.
Impacted products: ArcGIS ArcView, ArcGIS for Desktop, ArcGIS for Server.
Severity: 2/4.
Consequences: client access/rights, data reading, data creation/edition, data deletion.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 4.
Creation date: 06/09/2013.
Identifiers: 41468, 41497, 41498, BID-62691, BID-62889, CVE-2013-5221, CVE-2013-5222, CVE-2013-7231, CVE-2013-7232, NIM092795, NIM092820, NIM093227, NIM094447, VIGILANCE-VUL-13359.

Description of the vulnerability

Several vulnerabilities were announced in ArcGIS for Server.

An attacker can trigger a persistent Cross Site Scripting of Mobile Content Directory, in order to execute JavaScript code in the context of the web site. [severity:2/4; 41468, BID-62889, CVE-2013-5222, CVE-2013-7231, NIM092820]

An attacker can trigger a non-persistent Cross Site Scripting, in order to execute JavaScript code in the context of the web site. [severity:2/4; 41498, BID-62889, CVE-2013-5222, NIM093227]

An administrator can upload any file type on the server. [severity:2/4; 41497, BID-62691, CVE-2013-5221, NIM092795]

An attacker can use a SQL injection in the Map/Feature service, in order to read or alter data. [severity:2/4; CVE-2013-7232, NIM094447]
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin 13053

ESRI ArcGIS for Desktop: SQL injection

Synthesis of the vulnerability

An attacker can use a SQL injection in ESRI ArcGIS for Desktop, in order to read or alter data.
Impacted products: ArcGIS for Desktop.
Severity: 1/4.
Consequences: data reading, data creation/edition, data deletion.
Provenance: user shell.
Creation date: 08/07/2013.
Identifiers: VIGILANCE-VUL-13053.

Description of the vulnerability

ESRI ArcGIS for Desktop is a tool for geographical map creation.

It can be used wuith a relational database. However, for some query, user's data are directly inserted into the WHERE part of a SQL query. Request technical details are unknown.

An attacker can therefore use a SQL injection in ESRI ArcGIS for Desktop, in order to read or alter data.
Full Vigil@nce bulletin... (Free trial)

vulnerability 12830

ArcGIS Server: SQL injection

Synthesis of the vulnerability

An attacker can use a SQL injection in ArcGIS Server, in order to read or alter data.
Impacted products: ArcGIS ArcView, ArcGIS for Desktop, ArcGIS for Server.
Severity: 2/4.
Consequences: data reading.
Provenance: user account.
Creation date: 15/05/2013.
Identifiers: NIM084249, VIGILANCE-VUL-12830.

Description of the vulnerability

The ArcGIS Server product allows users to perform a search on maps.

However, user's data are directly inserted in a SQL query.

An attacker can therefore use a SQL injection in ArcGIS Server, in order to read or alter data.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin 12168

ArcGIS: information leak about database tables

Synthesis of the vulnerability

An attacker who causes a server side error, can get information about the database schema.
Impacted products: ArcGIS ArcView, ArcGIS for Desktop, ArcGIS for Server.
Severity: 2/4.
Consequences: data reading.
Provenance: intranet client.
Creation date: 16/11/2012.
Identifiers: NIM085361, VIGILANCE-VUL-12168.

Description of the vulnerability

ArcGIS uses a relational database.

An attacker who causes a server side error, can get information about the database schema.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2012-4949

ArcGIS Web Server: SQL injection

Synthesis of the vulnerability

An attacker can use the REST interface of the ArcGIS web server, to inject SQL commands, in order to read or alter data.
Impacted products: ArcGIS ArcView, ArcGIS for Desktop, ArcGIS for Server.
Severity: 2/4.
Consequences: data reading, data creation/edition.
Provenance: intranet client.
Creation date: 12/11/2012.
Identifiers: BID-56474, CVE-2012-4949, NIM084249, VIGILANCE-VUL-12128, VU#795644.

Description of the vulnerability

The ArcGIS web server has a REST interface, which is reachable on port 6080/tcp, so that users can remotely query the service.

The "where" parameter of the "query" feature is used to filter queries. However, this parameter is not filtrered before being injected in a SQL query.

An attacker can therefore use the REST interface of the ArcGIS web server, to inject SQL commands, in order to read or alter data.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2012-1661

ESRI ArcGIS: macro execution via MXD

Synthesis of the vulnerability

An attacker can invite the victim to open a malicious MXD file with ArcGIS, in order to execute a Visual Basic macro on his computer.
Impacted products: ArcGIS ArcView, ArcGIS for Desktop.
Severity: 3/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 14/06/2012.
Identifiers: 40384, BID-53988, CVE-2012-1661, VIGILANCE-VUL-11708.

Description of the vulnerability

The ArcMap (ArcGIS for Desktop) software creates geographic files with the extension MXD.

These files can contain Visual Basic macros. However, when a document is opened, and if VBA was installed, these macros are executed without asking the user.

An attacker can therefore invite the victim to open a malicious MXD file with ArcGIS, in order to execute a Visual Basic macro on his computer.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce 11517

ArcGIS: code execution via TeeChart Professional

Synthesis of the vulnerability

An attacker can create a web page calling the TeeChart Professional ActiveX, which is installed by ArcGIS products, in order to execute code on computers of victims loading this page with Internet Explorer.
Impacted products: ArcGIS ArcView, ArcGIS for Desktop, ArcGIS for Server.
Severity: 3/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 03/04/2012.
Identifiers: BID-49125, NIM074916, SS-2011-007, VIGILANCE-VUL-11517.

Description of the vulnerability

ArcGIS products install the TeeChart Professional ActiveX in order to draw statistic graphs.

The AddSeries() method of TeeChart.TChart.9 adds a series of numbers for graphs. However, a parameter is used to compute the address of a callback function. An attacker can thus force the usage of a malicious function, in order to execute code.

An attacker can therefore create a web page calling the TeeChart Professional ActiveX, which is installed by ArcGIS products, in order to execute code on computers of victims loading this page with Internet Explorer.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about ArcGIS for Desktop: