ArcGIS Enterprise

Critical Security patch for ArcGIS Enterprise portal Released

A critical Server-Side Request Forgery (SSRF) vulnerability has been discovered in ArcGIS Enterprise portal.

All versions prior to ArcGIS Enterprise 10.8 on both Windows and Linux are impacted by this security issue. In response, Esri has released the Portal for ArcGIS Security 2020 Update 1 patch for all current versions of ArcGIS Enterprise, from version 10.5 through 10.7.1. ArcGIS Enterprise 10.8 is not affected by this issue. ArcGIS 10.3.x and 10.4.x are in mature support status. Esri does not create patches for products in the mature or retired support phases; more information regarding this can be found in the Esri Product Lifecycle Policy.

There is a specific known exploit vector for deployments running on infrastructure in Amazon Web Services (AWS), though customers running in other cloud environments may be impacted depending on the specific of the cloud provider. Regardless of where ArcGIS Enterprise is being run, Esri always recommends installing the latest patches to all ArcGIS Enterprise software.

Esri strongly recommends all ArcGIS Enterprise administrators install this patch by using the ArcGIS Enterprise “Patch Notification” tool or by downloading the appropriate patch for your ArcGIS Enterprise site from https://support.esri.com/en/download/7777.

Be sure to subscribe to the RSS feed on the ArcGIS Trust Center for timely notifications regarding trends and issues related to security issues that impact the ArcGIS Platform.

Ref:

Portal for ArcGIS Security 2020 Update 1 Patch

https://support.esri.com/en/download/7777

Check for and install software patches and updates

https://enterprise.arcgis.com/en/server/latest/administer/windows/check-for-software-patches-and-updates.htm

HowTo: Schedule Automatic Updates for ArcGIS Enterprise

https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/howto-schedule-automatic-updates-for-arcgis-enterprise/

ArcGIS Trust Center

https://trust.arcgis.com/

Security Update Statement

https://trust.arcgis.com/en/security/security-overview.htm#ESRI_SECTION1_A4C20198BF974A82AA2AF490F84451C4

About the author

I'm a member of the Software Security and Privacy Team. I also help out with Esri's Product Security Incident Response Team. I've been with Esri almost 13 years now. Before joining the Software Security and Privacy Team, I was a senior technical lead in Esri Support Services, focusing on deploying, securing, and using ArcGIS Enterprise technology.

Connect:

Leave a Reply

Please Login to comment

Next Article

Basemaps in Map Viewer Beta: a new playground

Read this article