ArcGIS Enterprise

ArcGIS Server Security 2021 Update 1 Patch

Esri has released the ArcGIS Server Security 2021 Update 1 Patch that resolves a number of recently identified security vulnerabilities across versions 10.8.1, 10.7.1, and 10.6.1. As with all security patches, we encourage all system administrators to install security updates on relevant systems at your earliest opportunity.

This patch addresses one high severity vulnerability and multiple medium severity vulnerabilities have been addressed in the ArcGIS Server Security 2021 Update 1 Patch. We provide Common Vulnerability Scoring System (CVSS) scores to allow our customers to better assess risk of this vulnerability to their operations. Both the base score and a modified temporal score is provided to reflect the availability of an official patch.  Please see Common Vulnerability Scoring System for more information on the definition of these metrics.

Vulnerabilities fixed in this patch include:

 

Common Vulnerability Scoring System (CVSS v3.1) Details

9.1 Base Score, 8.7 Temporal Score

#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/RL:O

Vulnerability Details 

CVE-2021-29102 – Server Side Request Forgery (SSRF) CWE-918 – CVSS 8.7

 

Common Vulnerability Scoring System (CVSS v3.1) Details

6.1 Base Score, 5.8 Temporal Score

#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/RL:O

Vulnerability Details 

CVE-2021-29103 – Cross Site Scripting (XSS) CWE-79 – CVSS 5.2

 

Common Vulnerability Scoring System (CVSS v3.1) Details

6.1 Base Score, 5.8 Temporal Score

#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/RL:O

Vulnerability Details 

CVE-2021-29107 – Cross Site Scripting (XSS) CWE-79 – CVSS 5.2

 

Common Vulnerability Scoring System (CVSS v3.1) Details

5.4 Base Score, 5.2 Temporal Score

#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/RL:O

Vulnerability Details 

CVE-2021-29105 – Cross Site Scripting (XSS) CWE-79 – CVSS 5.2

Acknowledgements 

Matthew Dekker – Security Consultant ZX Security Limited

 

Common Vulnerability Scoring System (CVSS v3.1) Details

6.1 Base Score, 4.6 Temporal Score

#CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/RL:O

Vulnerability Details 

CVE-2021-29104 – Cross Site Scripting (XSS) CWE-79 – CVSS 4.2

Acknowledgements 

Roberto Suggi Liverani from NATO Cyber Security Centre (NCSC)

 

Common Vulnerability Scoring System (CVSS v3.1) Details

4.7 Base Score, 4.2 Temporal Score

#CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O

Vulnerability Details 

CVE-2021-29106 – Cross Site Scripting (XSS) CWE-79 – CVSS 4.2

About the authors

I'm a member of the Software Security and Privacy Team. I also help out with Esri's Product Security Incident Response Team. I've been with Esri almost 14 years now. Before joining the Software Security and Privacy Team, I was a senior technical lead in Esri Support Services, focusing on deploying, securing, and using ArcGIS Enterprise technology.

Connect:

Article Discussion:

Leave a Reply

Please Login to comment

Next Article

What's new in ArcGIS StoryMaps (September 2021)

Read this article