ArcGIS Blog

Administration

ArcGIS Enterprise

Mar 31, 2021

ArcGIS Server SQL injection security update

By Michael Young

A SQL injection vulnerability exists in some configurations of Esri ArcGIS Server versions 10.8.1 (and earlier). Specially crafted web requests can expose information that is not intended to be disclosed (not customer datasets).

Mitigating measures:

  • Web Services that use file based data sources (file Geodatabase or Shape Files or tile cached services) are unaffected by this issue.
  • By default, services published to ArcGIS Enterprise are not available anonymously and those services cannot be accessed by an unauthenticated attacker.
  • Database accounts should be configured using the principle of least privilege.

Esri has released updates for ArcGIS Server that resolve this moderate-risk vulnerability here.

Common Vulnerability Scoring System (CVSS v3.1) Details 

5.3 Base Score, 4.8 Temporal Score 

  • Exploit Code Maturity: Proof-of-Concept
  • Remediation Level: Official Fix Available 
  • Report Confidence: Confirmed by Esri 

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 

We provide the temporal score in addition to the base score to allow our customers to better assess risk of this vulnerability to their operations.  Please see Common Vulnerability Scoring System for more information on the definition of these metrics. 

Vulnerability Details 

Acknowledgements:

  • Elwood Buck (MindPoint Group)
  • Peter Davies (MindPoint Group)

Share this article

administration arcgis trust center patch security arcgis enterprise arcgis trust center

Article Discussion:

Subscribe
Notify of
0 Comments
Oldest
Newest
Inline Feedbacks
View all comments
Paul Bartsch(@pdbar)
April 3, 2020 7:25 am

Good morning John! Thanks for putting this article together. My son and I are attempting the Lego style map and I’m receiving a permission denied warning when attempting to download your style. Any advice?
Thanks,
Paul

John Nelson(@j_nelson)
April 3, 2020 7:37 am
Reply to  Paul Bartsch

How strange; sorry for the inconvenience, Paul! Shoot me an email with more info and I’ll try to sort it out. In the meantime, here is a direct link to download that style file: https://esriis-my.sharepoint.com/:u:/g/personal/john8409_esri_com/EbMy7–IEEhOo4VdXYF-Ma0B_nlX1ztp-zUZC3RTU6VB6w?e=GxsKkw

Paul Bartsch(@pdbar)
April 9, 2020 8:44 am
Reply to  John Nelson

Thanks so much John! My boys think my job is awesome now. That Lego map really did the trick. I’m able to download all of the styles now. Not sure what changed. Perhaps I wasn’t logged in before. Anyway, thank you!

John Nelson(@j_nelson)
April 9, 2020 9:08 am
Reply to  Paul Bartsch

Rock and roll, Paul! Feel free to share the map you guys made, I’d love to see it. The log-in thing was my bad. All sorted now though. Hope it didn’t slow you down too long.