VertiGIS is using this page to provide key information about the CVE-2022-21449 vulnerability, known as Psychic Paper, disclosed on April 19, 2022, and its impact on products in the UT for ArcGIS product family, as well as partner products.
This article will be updated as new information becomes available.
Java versions 15-18 are affected by the vulnerability.
- UT CBYD ships with Java 11. This version is not affected, so no action is required.
- UT Integrator currently only supports Java 8 or Java 11. These versions are not affected, so no action is required.
- The WMPS requires JDK 11 or higher. Affected interfaces are not used. If Java 15-18 is used, VertiGIS still recommends updating to JDK 17.0.3, 18.0.1 or newer. If older Java versions are used, there is no acute need for action due to the vulnerability. The use of current versions is recommended.
Update the Java version:
- Install a current JDK version and set it in Tomcat.
- Restart the Tomcat afterwards
Other UT for ArcGIS products do not use Java and are therefore not affected.
Baral has published a newsletter that provides instructions for their products.