Esri has discovered a critical vulnerability in ArcGIS Server causing improper access control validation when specially crafted requests are sent to the server. This results in secured services and their data to be exposed to users when they should not otherwise have access.
Today we have released security patches for all currently supported ArcGIS Server versions from 10.2.1 to 10.6 on both Window and Linux. While the exploit for this vulnerability is not yet in the wild, we strongly encourage everyone to apply this patch within the next two weeks to minimize risk.
- Non-Cumulative – Unlike most ArcGIS security patches, this one is not cumulative, so ideally apply all other applicable security patches for your version first – Using the Patch Notification Utility can help ease this process. This patch is NOT dependent on other patches to be in place.
- Scope – This issue affects both Federated deployments as well as stand-alone ArcGIS Server systems and has been fixed in the 10.6.1 release.
- Mitigations – A Web Application Firewall (WAF) running in Protect mode or utilizing the IIS Web Adaptor (not the Java Platform Web Adaptor) can reduce the risk of this vulnerability. These mitigations should only be considered short-term stop-gaps until being able to patch the system.
– Esri Security Standards & Architecture Team