[Stategism] Esri and SSLV2 Connectivity
Bill Farnsworth
Bill.Farnsworth at cio.idaho.gov
Fri Mar 18 12:15:46 MDT 2016
GIS Managers,
If you are running Esri software before the 10.3 release this information is for you.
Before the 10.3 release Esri is using SSL for security.
SSL is going to be blocked on the state network (and at many other organizations) because of a high risk security flaw.
This might stop traffic to your Esri software.
This information is being sent to the agencies IT and Security departments.
>From Esri:
"SSL / TLS: I'm sure some people are scratching their heads about our discussion here of TLS (as opposed to SSL), and you will continue to see the terms used interchangeably in documentation and presentations; however to be clear SSL v3 was pronounced dead last year, with the announcement of the IT industry-wide POODLE SSL vulnerability<http://blogs.esri.com/esri/arcgis/2014/10/16/avoid-ssl-poodle-bite/>. Starting with the ArcGIS 10.3 release, Esri disabled SSL v3 for their web services and moved to utilizing only TLS to support the secure operations of our customers."
Full article at: https://blogs.esri.com/esri/arcgis/2015/03/11/sharing-web-gis-services-always-enable-tls/
And here is a VERY timely guidance paper:
http://downloads.esri.com/resources/enterprisegis/TLS_Guidance.pdf
If you need more information, please let me know.
I have included some of the emails that are going out to the IT and Security departments.
Cheers,
Bill
bill.farnsworth at cio.idaho.gov<mailto:bill.farnsworth at cio.idaho.gov>
208 332-1878 (w)
208 863-9039 (c)
From: Lance Wyatt
Sent: Friday, March 18, 2016 11:53 AM
Subject: RE: Notice to CIOs -- OCIO to Block SSLV2 Connectivity Due to "Drown" Attack
Importance: High
CIOs,
This is a follow up to OCIO effort to block SSLV2 at the end of this month. We are notifying you that your ESRI GIS services could be blocked once OCIO blocks SSLV2 due to older ESRI servers may still use SSLV2 even though ESRI no longer supports SSLV2 in its newer server versions. You should work with your GIS teams and confirm if their ESRI servers are communicating on SSLV2 and let OCIO know so we can discuss options.
Likewise if you have any other systems that may depend on SSLV2 connectivity please let me know so we can discuss options.
As a reminder, OCIO plans to block SSLV2 traffic starting March 30, 2016.
If you have any questions or concerns please contact me. Bill Farnsworth will send a copy of this email to his GIS point of contacts as well.
Respectfully,
Lance Wyatt
Deputy Chief Information Security Officer
Office of the CIO, State of Idaho
lance.wyatt at cio.idaho.gov<mailto:lance.wyatt at cio.idaho.gov>
www.cybersecurity.idaho.gov<http://www.cybersecurity.idaho.gov>
O:(208) 332-1880
From: Lance Wyatt
Sent: Wednesday, March 09, 2016 7:23 AM
Cc: Thomas Olmstead <Thomas.Olmstead at cio.idaho.gov<mailto:Thomas.Olmstead at cio.idaho.gov>>
Subject: Notice to CIOs -- OCIO to Block SSLV2 Connectivity Due to "Drown" Attack
CIOs,
This is a notice to all State of Idaho CIOs that the OCIO is planning to block all SSLV2 traffic in and out of the state firewall due to risks associated with the "Drown" attack vulnerability. The "Drown" attack exploits a serious vulnerability that affects HTTPS and other services that still rely on the SSL service. The Department of Administration OCIO is planning to block SSLV2 traffic starting on March 30, 2016. If your server cannot support TLS and your business model requires SSLV2 connectivity then please contact me so we can coordinate a risk assessment and the identification of associated mitigation remedies.
Please see the below links for the "Drown" attack vulnerability details:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0800
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0800
Please provide prompt feedback so we can tailor our actions to customers while we secure https communication links.
Respectfully.
Lance Wyatt
Deputy Chief Information Security Officer
Office of the CIO, State of Idaho
lance.wyatt at cio.idaho.gov<mailto:lance.wyatt at cio.idaho.gov>
www.cybersecurity.idaho.gov<http://www.cybersecurity.idaho.gov>
O:(208) 332-1880
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://admws.idaho.gov/pipermail/stategism/attachments/20160318/3cf38ea9/attachment-0001.html>
More information about the Stategism
mailing list