A critical Server-Side Request Forgery (SSRF) vulnerability has been discovered in ArcGIS Enterprise portal.
All versions prior to ArcGIS Enterprise 10.8 on both Windows and Linux are impacted by this security issue. In response, Esri has released the Portal for ArcGIS Security 2020 Update 1 patch for all current versions of ArcGIS Enterprise, from version 10.5 through 10.7.1. ArcGIS Enterprise 10.8 is not affected by this issue. ArcGIS 10.3.x and 10.4.x are in mature support status. Esri does not create patches for products in the mature or retired support phases; more information regarding this can be found in the Esri Product Lifecycle Policy.
There is a specific known exploit vector for deployments running on infrastructure in Amazon Web Services (AWS), though customers running in other cloud environments may be impacted depending on the specific of the cloud provider. Regardless of where ArcGIS Enterprise is being run, Esri always recommends installing the latest patches to all ArcGIS Enterprise software.
Esri strongly recommends all ArcGIS Enterprise administrators install this patch by using the ArcGIS Enterprise “Patch Notification” tool or by downloading the appropriate patch for your ArcGIS Enterprise site from https://support.esri.com/en/download/7777.
Portal for ArcGIS Security 2020 Update 1 Patch
Check for and install software patches and updates
HowTo: Schedule Automatic Updates for ArcGIS Enterprise
ArcGIS Trust Center
Security Update Statement