ArcGIS Enterprise

Critical Security patch for ArcGIS Server Released

Esri has recently discovered a critical Server-Side Request Forgery (SSRF) vulnerability in ArcGIS Server.  This issue has been assigned a base CVSS score of 9.8 – with an exploit vector as CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

In response, Esri has released the ArcGIS Server Security 2020 Update 1 Patch for all currently supported ArcGIS Server versions 10.7.1 and prior to address this issue. ArcGIS Server 10.8 is unaffected by this vulnerability. 

Special steps are required by persons with network access to the ArcGIS deployment to exploit this SSRF, which can potentially be used to obtain access to sensitive internal system information by unauthorized individuals. 

Esri strongly recommends all ArcGIS Server administrators install this patch by using the ArcGIS Server “Patch Notification” utility or by downloading the appropriate patch for your ArcGIS Enterprise site from the ArcGIS Server Security 2020 Update 1 Patch knowledge base article 

Be sure to subscribe to the RSS feed on the ArcGIS Trust Center for timely notifications regarding trends and issues related to security issues that impact the ArcGIS Platform. 

Refer to the following resources: 

ArcGIS Server Security 2020 Update 1 Patch 

Check for and install software patches and updates  

HowTo: Schedule Automatic Updates for ArcGIS Enterprise 

ArcGIS Trust Center 

Security Update Statement 

 

About the author

I'm a member of the Software Security and Privacy Team. I also help out with Esri's Product Security Incident Response Team. I've been with Esri almost 13 years now. Before joining the Software Security and Privacy Team, I was a senior technical lead in Esri Support Services, focusing on deploying, securing, and using ArcGIS Enterprise technology.

Connect:

Leave a Reply

Please Login to comment

Next Article

What's new in ArcGIS Survey123 (October 2020)

Read this article