Security Bulletin - Geocortex Essentials and Geocortex Viewer for HTML5 - 10/13/2015

We recently discovered an issue around Essentials REST tokens potentially being sent to non-Essentials endpoints when using secured sites containing GeoRSS feeds. More info here: (https://support.geocortex.com/essentialsGSCForum?sub-nav=forum&main-nav=essentials&#!/feedtype=SINGLE_QUESTION_DETAIL&id=906600000000BDlAAM) Security Bulletin - Geocortex Viewer for HTML5 - 9/30/2015 .

 

Immediately following that discovery, we launched an in-depth audit and performed traffic analysis to detect other instances of tokens potentially being sent to external, potentially untrusted services when using secured sites.

 

We found potential issues when using secured sites in version 2.5 of the Viewer for HTML5 and doing the following:

• Using GeoRSS to consume RSS feeds external to the organization.
• Performing query and identify operations on ArcGIS Server services external to the organization.
• Using Global Search to search map service endpoints external to the organization.
• Using the Query Builder to query services external to the organization.
• Consuming WMS services external to the organization.

We've also discovered an issue in Essentials that applies to all versions 2.0+ of the HTML5 viewer:

• Consuming multiple dynamic layers hosted in dynamic map services external to the organization.

In these scenarios, the Essentials REST token can be mistakenly appended to the outgoing request, exposing the token to the potentially untrusted service.

 

To address these potential issues we've discovered, we've created a 2.5.1 release of the Geocortex Viewer for HTML5, and version 4.2.2 of Geocortex Essentials. These products are available (https://support.geocortex.com/essentialsGSCDownloads?productTitle=Essentials&sub-nav=downloads&main-nav=essentials) here .

 

Customers who are using Geocortex Essentials with security, with applications configured to make requests to services and endpoints external to the organization, are urged to upgrade to these latest versions immediately.

 

While consuming external and potentially untrusted GIS services in the context of secured sites and applications is not particularly recommended, we see web GIS evolving in a direction that means consuming data from more and more disparate, public, and inter-organizational sources.

 

With this in mind, we've decided to take an aggressive stance to ensure that our security model and approach covers the wide range of scenarios in which GIS data is produced and consumed. Moving forward, this means immediately escalating and fixing anything around potential disclosure of tokens or any other security related materials.

 

We apologize for any inconvenience this issue has caused you. As always, we take all security issues extremely seriously. Please feel free to contact us if you have any questions or concerns.