The recent identification of the processor security vulnerabilities known as Meltdown and Spectre has affected nearly everyone who uses a computer or smartphone, and has spurred unprecedented action from technology companies and researchers worldwide. Microsoft released several patches for Windows software earlier this month to address the vulnerabilities. Unfortunately, the updates for Windows Server 2008 R2 and Windows 7 have caused significant problems for ArcGIS Server customers running these operating system versions.
Specifically, geoprocessing services crash on ArcGIS Server (regardless of release version) after the following Windows updates are installed on Server 2008 R2 or Windows 7. This update alone:
- KB4056894: 2018-01 Security Monthly Quality Rollup for Windows Server 2008 R2 for x64-based Systems
Or the combination of these two updates:
- KB4056568: Cumulative security update for Internet Explorer
- KB4056897: January 3, 2018 Security-Only Update
This bug prevents users from running geoprocessing jobs, publishing new services, or using the default print service in ArcGIS Server. The problem is isolated to machines running Windows Server 2008 R2 and Windows 7 only, and only occurs once the above updates are installed.
Esri has been working to address this problem since it was first identified. This week, we have begun releasing a software patch for each supported version of ArcGIS Server and ArcGIS Enterprise (the platform comprising ArcGIS Server, Portal for ArcGIS, ArcGIS Data Store, and ArcGIS Web Adaptor). Patches have been released for ArcGIS Server versions 10.6, 10.5.1, 10.5, 10.4.1, 10.4, 10.3.1, and 10.3, which are presently supported; we are also taking the additional step of releasing patches for versions 10.2.2 and 10.2.1, which are in mature support and normally would not receive new patches.
If you are running ArcGIS Server 10.2.1 or later on Windows Server 2008 R2 or Windows 7, please check the ArcGIS Server Geoprocessing Service Startup Patch page for whether the patch corresponding to your version of ArcGIS Server has been released; if it has, please download and install the patch following the instructions on the page. Note that you are asked to check all geoprocessing services once the patch has been installed, and if any are still not functioning, you must stop and start the service manually.
We want to stress that this bug is not directly caused by the Meltdown and Spectre vulnerabilities. If you have installed the Windows patches released by Microsoft, your machine is now protected from Meltdown and Spectre. The geoprocessing service issue is an indirect consequence involving the patches for Windows Server 2008 R2 and Windows 7.
We do not recommend avoiding the installation of these or any available security patches, even if the ArcGIS Server geoprocessing patch corresponding to your software version has not yet been released. The risk posed by running an operating system without the corresponding security updates needs to be evaluated individually, based on the threat posed in your unique environment.
Furthermore, though we understand the time and expense involved in upgrading any system, particularly one in production, it is always a security best practice to upgrade your operating system and all software programs such as ArcGIS to the latest version. Mainstream support for Windows Server 2008 R2 and Windows 7 ended in 2015, and extended support for these versions will end in January 2020. We strongly recommend that all customers on these operating systems begin planning for an upgrade to a more recent version of Windows, such as Windows Server 2016.
ArcGIS 10.1 was retired on January 1, 2018, and versions 10.2 through 10.2.2 will be retired in July 2019 and are already in mature support, which means they are not receiving regular security updates or functional patches.
If you have installed this patch and are still encountering issues with ArcGIS Server, and restarting services has not rectified the problem, please contact Esri Support.
For more information, please visit the following links:
Michael Young’s post on the ArcGIS Blog: “Meltdown and Spectre Processor Vulnerabilities”