#VU8827 Improper input validation in ArcGIS
Published: October 11, 2017 / Updated: October 13, 2017
Vulnerability identifier: #VU8827
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: N/A
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
ArcGIS
ArcGIS
Software vendor:
ESRI
ESRI
Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists in the configuration of the ESRI-provided ArgGIS Server image available on Azure Marketplace due to the default settings load the Java rmid service on TCP port 1098 and set the 'java.rmi.server.useCodebaseOnly' property to false. A remote attacker can send specially crafted data to cause the target RMI service to load and execute remote Java code.
Successful exploitation of the vulnerability may result in system compromise.
Remediation
The vulnerability is addressed in the following versions: 10.4.1 and 10.5.1.