Using an Esri-provided image on Azure's Marketplace, ArcGIS Server 10.3.1started Java's rmid on port 1098 and explicitly set theproperty java.rmi.server.useCodebaseOnly equal to false.Screenshot:https://www.dropbox.com/s/xz9ugal3ixnfh1c/10.3.1_rmid_useCodebaseOnly%3Dfalse.png?dl=0As discussed on Oracle's website, the default value ofjava.rmi.server.useCodebaseOnly was changed to true in Java 7 Update 21,with a remark that setting it to false could create a risk of RCE.Link:http://docs.oracle.com/javase/7/docs/technotes/guides/rmi/enhancements-7.htmlWhile the version of Java included in ArcGIS Server 10.3.1 appears to beJava 7 Update 76, which would have the more secure default setting, that isirrelevant due to the ArcGIS solution manually changing it.Screenshot:https://www.dropbox.com/s/5reh81dwwp9e4dz/10.3.1_rmid_java7u76.png?dl=0When an attacker can remotely reach rmid on the victim server, and thevictim server can reach a web server on a machine controlled by theattacker, this is relatively easily exploited to gain RCE.Video:https://www.dropbox.com/s/t4fmxwzjzzo7yhe/ArcGIS_useCodebaseOnly%3Dfalse_exploitation.wmv?dl=0Administrators are encouraged to use a tool such as Process Explorer orwmic to ensure that the command line arguments passed to rmid have thejava.rmi.server.useCodebaseOnly property equal to true.During testing, Esri-provided images on Azure's Marketplace for ArcGISServer 10.4.1 and 10.5.1 were found to set that property to true;administrators may try updating to a newer version of ArcGIS Server, and/orcontacting Esri for assistance.If an update is required but not immediately possible, consider firewallrules to block access to rmid from systems that have no need to connect toit.
