On January 27, 2015, a serious Linux operating system security vulnerability dubbed “Ghost” was announced concerning the glibc low level system library that can allow attackers to remotely take complete control of a victims system.
This issue does not affect ArcGIS web application interfaces exposed through ArcGIS Server, ArcGIS Online, and Portal for ArcGIS.
As a precautionary measure and following a defense in-depth approach, the patch is being applied to any Linux systems utilized by the ArcGIS Online cloud infrastructure, and even though a reboot of individual systems is required, we do not anticipate a disruption of operations.
We strongly recommend customers choosing to deploy our products on Linux infrastructure apply their Linux vendor’s security patch ASAP to minimize the attack surface of their systems. For our customers utilizing ArcGIS Server Ubuntu Amazon Machine Images (AMI)’s, you will need to patch your Linux build as directed by the vendor. For future reference, our upcoming ArcGIS Server 10.3.1 AMI is already utilizing a version that is not vulnerable to Ghost
– The Security Standards & Architecture Team
References:
Security Advisory: CVE-2015-0235
Ghost announcement by Qualys
Article Discussion: