ArcGIS Enterprise

ArcGIS Server Security 2021 Update 2 Patch is now available

Esri has released the ArcGIS Server Security 2021 Update 2 Patch. This patch resolves four recently identified security vulnerabilities across versions 10.9, 10.8.1, 10.7.1, and 10.6.1. As with all security patches, we encourage all system administrators to install security updates on relevant systems at your earliest opportunity.

One high severity vulnerability and three medium severity vulnerabilities are addressed in this patch. The ArcGIS Server Security 2021 Update 2 Patch is available here.

We provide Common Vulnerability Scoring System (CVSS) scores to allow our customers to better assess risk of this vulnerability to their operations. Both the base score and a modified temporal score is provided to reflect the availability of an official patch.  Please see  the Common Vulnerability Scoring System for more information on the definition of these metrics.

Vulnerabilities fixed in this patch include:

A SQL injection vulnerability in feature services provided by Esri ArcGIS Server 10.9 and earlier allows a remote, unauthenticated attacker to impact the confidentiality, integrity and availability of targeted services via specifically crafted queries.

Common Vulnerability Scoring System (CVSS v3.1) Details

#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/RL:O/MPR:L

Vulnerability Details

CVE Coming Soon – SQL Injection (SQLi) CWE-89  – CVSS 6.0

Mitigating measures:

A stored Cross Site Scripting (XSS) vulnerability in Esri ArcGIS Server version 10.8.1 and 10.9 (only) feature services may allow a remote attacker may allow a remote, unauthenticated attacker to pass and store malicious strings via crafted queries which when accessed could potentially execute arbitrary JavaScript code in the user’s browser.

Common Vulnerability Scoring System (CVSS v3.1) Details

#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/RL:O/RC:C/MPR:L

Vulnerability Details

CVE Coming Soon – Cross Site Scripting (XSS) CWE-79  – CVSS 5.2

Mitigating measures:

By default, services published to ArcGIS Enterprise are not available anonymously and those services cannot be accessed by an unauthenticated attacker.

An information disclosure vulnerability caused by an issue where if a where a field that is marked as invisible in a hosted feature service view in Esri ArcGIS Enterprise versions 10.9.0 and below does not hide the field references from the available editing templates which allows a remote attacker to view field names via the ArcGIS Services directory.

#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/RL:O/MPR:L

Vulnerability Details

CVE Coming Soon – Information Exposure CWE-200  – CVSS 4.1

Mitigating measures:

Options to mitigate this issue include securing the hosted feature service and any created hosted feature service views.

A remote file inclusion vulnerability in the ArcGIS Server help documentation may allow a remote, unauthenticated attacker to inject attacker supplied html into a page.

Common Vulnerability Scoring System (CVSS v3.1) Details

#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/RL:O

Vulnerability Details

CVE Coming Soon – Cross Site Scripting (XSS) CWE-79  – CVSS 3.3

Mitigating measures:

The help documentation may be secured at the web tier. See: https://community.esri.com/t5/esri-software-security-privacy-blog/bg-p/esri-software-security-and-privacy-blog/page/2

About the author

I'm a member of the Software Security and Privacy Team. I also help out with Esri's Product Security Incident Response Team. I've been with Esri almost 14 years now. Before joining the Software Security and Privacy Team, I was a senior technical lead in Esri Support Services, focusing on deploying, securing, and using ArcGIS Enterprise technology.

Connect:
0 Comments
Inline Feedbacks
View all comments

Next Article

What's New in ArcGIS Experience Builder Developer Edition (version 1.6)

Read this article