ArcGIS Blog

Administration

ArcGIS Server Security 2022 Update 1 Patch

By RandallWilliams and Michael Young

Esri has released the ArcGIS Server Security 2022 Update 1 Patch that resolves one high and four moderate severity security vulnerabilities across versions 10.9.1, 10.8.1, and 10.7.1.

This patch is available here.

We provide Common Vulnerability Scoring System v.3.1 (CVSS) scores to allow our customers to better assess risk of these vulnerabilities to their operations.  Both base and modified temporal scores are provided to reflect the availability of an official patch.

Vulnerabilities fixed by this patch

CVE-2022-38196 – CWE-22

There is a path traversal vulnerability in Esri ArcGIS Server  versions 10.9.1 and below that may result in a denial of service by allowing a remote, authenticated attacker to overwrite an internal ArcGIS Server directory.

CVSS Details:

  • 7.2 Base Score, 6.5 Temporal Score
  • Remediation Level: Official Fix Available
  • Report Confidence: Confirmed by Esri
  • /AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/RL:O/MAV:A

Mitigations:

Disable administration via the ArcGIS Web Adaptor. Disabling administration via the ArcGIS Web Adaptor is recommended as a best practice when exposing ArcGIS Server to the public internet.

See: https://enterprise.arcgis.com/en/web-adaptor/latest/install/iis/configure-arcgis-web-adaptor-server.htm

Esri Bug ID: BUG-000150537

 

 

CVE-2022-38195 – CWE-79

There is a reflected XSS vulnerability in Esri ArcGIS Server versions 10.9.1 and below which may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victim’s browser.

CVSS Details:

  • 6.1 Base Score, 5.2 Temporal Score
  • Remediation Level: Official Fix Available
  • Report Confidence: Confirmed by Esri
  • /AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/RL:O/MPR:L/MAV:A

Mitigations:

Disable administration via the ArcGIS Web Adaptor. Disabling administration via the ArcGIS Web Adaptor is recommended as a best practice when exposing ArcGIS Server to the public internet.

See: https://enterprise.arcgis.com/en/web-adaptor/latest/install/iis/configure-arcgis-web-adaptor-server.htm

Esri Bug ID: BUG-000150540

 

 

CVE-2022-38197 – CWE-601

There is an unvalidated redirect vulnerability in ArcGIS Server that may allow a remote, unauthenticated attacker to phish a user into accessing an attacker controlled website via a crafted query parameter.

CVSS Details:

  • 5.4 Base Score, 4.6 Temporal Score
  • Remediation Level: Official Fix Available
  • Report Confidence: Confirmed by Esri
  • /AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/RL:O/MAV:A

Mitigations: Disable administration via the ArcGIS Web Adaptor. Disabling administration via the ArcGIS Web Adaptor is recommended as a best practice when exposing ArcGIS Server to the public internet.

See: https://enterprise.arcgis.com/en/web-adaptor/latest/install/iis/configure-arcgis-web-adaptor-server.htm

Esri Bug ID: BUG-000148347

 

CVE-2022-38198 – CWE-79

There is a reflected XSS vulnerability in Esri ArcGIS Server versions 10.9.1 and below which may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victim’s browser.

CVSS Details:

  • 6.1 Base Score, 5.8 Temporal Score
  • Remediation Level: Official Fix Available
  • Report Confidence: Confirmed by Esri
  • /AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/RL:O/RC:C

Mitigations:

Disable the ArcGIS Services Directory. Disabling the ArcGIS services directory is recommended as a best practice when exposing GIS Services to the public internet.

See: https://enterprise.arcgis.com/en/server/latest/administer/linux/disabling-the-services-directory.htm

Esri Bug ID: BUG-000146513

 

CVE-2022-38199 – CWE-494

A remote file download vulnerability can occur in some capabilities of web services provided by Esri ArcGIS Server versions 10.9.1 and below that may in some edge cases allow a remote, unauthenticated attacker to induce an unsuspecting victim to launch a process in the victim’s PATH environment. Current browsers provide users with warnings against running unsigned executables downloaded from the internet.

CVSS Details:

  • 6.1 Base Score, 5.8 Temporal Score
  • Remediation Level: Official Fix Available
  • Report Confidence: Confirmed by Esri
  • /AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/RL:O

Esri Bug ID: BUG-000144172

Credit: David M. Chavez

Share this article