Esri has released a significant security update for ArcGIS Server and we recommend our customers apply this patch in a timely manner. Key security patch components are:
1.) Cumulative, containing fixes from the 2016 Update1 Linux security patch (there was no 2016 Update1 security patch release for Windows)
2) 2016 Update2 is applicable to Windows and Linux deployments
3) Includes several essential non-security related fixes, and
4) Limits the publishing of geoprocessing services (GP), SOE, and SOI to only administrators.
5) The security issues addressed in this security patch were incorporated into 10.4
– The Security Standards & Architecture Team
ArcGIS Server Patch 2016 Update2 KBA – Patches available for 10.2.2 and 10.3.1