VertiGIS uses this page to provide centralized information about the critical vulnerability CVE-2023-24329, known as "Python Blocklist Bypass" and its impact on VertiGIS product families as well as partner products.
This article will be updated as new information becomes available.
Partner products from Esri
Python is part of the deliveries of Esri products like ArcGIS Pro, ArcGIS Enterprise or ArcGIS Desktop. The used versions contain the described vulnerability. There is no public information from Esri regarding this issue. Upon request via the ArcGIS Trust Center we have received the following information.
- In ArcGIS Pro 3.2 / ArcGIS Enterprise 11.2 we ship Python 3.9.17, where this issue is addressed.
-
ArcGIS applications like ArcGIS Pro,ArcGIS Enterprise or ArcGIS Desktop aren't python web servers and are not impacted by this issue out of the box.
-
Users can immediately mitigate by add a strip() function to their python scripts before processing the URL.
Python URL Parse Problem (CVE-2023-24329) - PointerNull -
If customers choose to build python web servers that implement python based URL blocklisting (which is a bad security practice - the preference is an allow-list) then they can use immediately mitigate this issue by add a strip() function to their python scripts before processing the URL on their python based server.
-
Customers can also use CONDA to clone their python environments and upgrade their libraries as they see fit. Customers can also choose to download and install a newer version of python to build and run their Python web servers.
-
The can and should also leverage a WAF for managing a blocklist. A WAF is a much better choice than a server based blocklist because a WAF is managed at the network ingress point, not on any specific server.
- While the "severity" of CVE-2023-24329 is marked as "high", the "risk" is low. CVSS does not measure risk, it only measures severity.
-
CVE-2023-24329 is not known to have been exploited in the wild by US-CISA.
https://www.cisa.gov/known-exploited-vulnerabilities-catalog -
We plan to update our 3rd party CVE guidance document regarding this issue, but have no plans to release a blog for an issue like this which presents minimal risk.
If you have evidence of an exploit, of this issue, please provide a proof of concept via Report a Security or Privacy Concern.
VertiGIS products
Not affected
- VertiGIS FM:
Python not in use - VertiGIS Studio:
Python not in use - VertiGIS Networks
Python not in use - 3A / LM:
Python not in use - WebOffice:
Python not in use - UT for ArcGIS:
Python is used partially in UT Click Before You Dig and UT Integrator. The library urllib is not used. - GeoOffice:
Python not in use - ConnectMaster:
Python not integrated - M4 Solutions:
Python not in use - PinPoint:
Python not in use - EDP products:
Python is used in EDP Besök. The library urllib is not used.
Under investigation
- Geonis
Comments
0 comments
Please sign in to leave a comment.