{"id":794981,"date":"2020-04-01T15:01:28","date_gmt":"2020-04-01T22:01:28","guid":{"rendered":"https:\/\/www.esri.com\/arcgis-blog\/?post_type=blog&p=794981"},"modified":"2020-04-06T07:59:41","modified_gmt":"2020-04-06T14:59:41","slug":"critical-security-patch-for-arcgis-server-released","status":"publish","type":"blog","link":"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-enterprise\/administration\/critical-security-patch-for-arcgis-server-released","title":{"rendered":"Critical Security patch for ArcGIS Server Released"},"author":5311,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"open","ping_status":"closed","template":"","format":"standard","meta":{"_acf_changed":false,"_searchwp_excluded":""},"categories":[37501,37101],"tags":[42301,23591,24081,30141,35281],"industry":[],"product":[36571],"class_list":["post-794981","blog","type-blog","status-publish","format-standard","hentry","category-administration","category-announcements","tag-arcgis-enterprise","tag-arcgis-server","tag-ssamymlgp","tag-security-patch","tag-vulnerability","product-arcgis-enterprise"],"acf":{"short_description":"Esri has recently discovered a critical vulnerability in ArcGIS Server and has released\u00a0a patch to address this issue.\r\n","flexible_content":[{"acf_fc_layout":"content","content":"

Esri has recently discovered a critical Server-Side Request Forgery (SSRF) vulnerability in ArcGIS Server.\u00a0<\/span> This issue has been assigned a base CVSS score of 9.8 – with an exploit vector as CVSS:3.0\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H<\/a>.\u00a0<\/span><\/p>\n

In response, Esri has released<\/span>\u00a0the<\/span>\u00a0<\/span>ArcGIS Server Security 2020 Update 1 Patch<\/span><\/b>\u00a0<\/span><\/b>for all currently supported ArcGIS Server versions 10.7.1 and prior to address this issue. ArcGIS Server 10.8 is unaffected by this vulnerability.<\/span>\u00a0<\/span><\/p>\n

Special steps are required by persons with network access to the ArcGIS deployment to exploit this SSRF, which can potentially be used to obtain access to sensitive internal system information by unauthorized individuals.<\/span>\u00a0<\/span><\/p>\n

Esri strongly recommends all ArcGIS Server administrators install this patch by using the ArcGIS Server \u201c<\/span>Patch Notification<\/span><\/i>\u201d\u00a0<\/span>utility<\/span> or by downloading the appropriate patch for your ArcGIS Enterprise site from the ArcGIS Server Security 2020 Update 1 Patch knowledge base article<\/b><\/a><\/span>.\u00a0<\/span>\u00a0<\/span><\/p>\n

Be sure to subscribe to the\u00a0<\/span>RSS feed<\/span>\u00a0on the\u00a0<\/span>ArcGIS Trust Center<\/span>\u00a0for timely notifications regarding trends and issues related to security issues that impact the ArcGIS Platform.<\/span>\u00a0<\/span><\/p>\n

Refer to the following resources:<\/span>\u00a0<\/span><\/p>\n

ArcGIS Server Security 2020 Update 1 Patch<\/span><\/b><\/a>\u00a0<\/span><\/p>\n

Check for and install software patches and updates<\/span><\/b><\/a>\u00a0<\/span>\u00a0<\/span><\/p>\n

HowTo: Schedule Automatic Updates for ArcGIS Enterprise<\/span><\/b>\u00a0<\/span><\/a><\/p>\n

ArcGIS Trust Center<\/span><\/b>\u00a0<\/span><\/a><\/p>\n

Security Update Statement<\/span><\/b><\/a>\u00a0<\/span><\/p>\n

 <\/p>\n"}],"authors":[{"ID":5311,"user_firstname":"Randall","user_lastname":"Williams","nickname":"Randall Williams","user_nicename":"randallwilliams","display_name":"Randall Williams","user_email":"randall_williams@esri.com","user_url":"https:\/\/trust.arcgis.com","user_registered":"2018-03-02 00:17:03","user_description":"","user_avatar":""}],"related_articles":"","card_image":false,"wide_image":false},"yoast_head":"\nCritical Security patch for ArcGIS Server Released<\/title>\n<meta name=\"description\" content=\"Esri has recently discovered a critical vulnerability in ArcGIS Server and has released\u00a0a patch to address this issue.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-enterprise\/administration\/critical-security-patch-for-arcgis-server-released\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Critical Security patch for ArcGIS Server Released\" \/>\n<meta property=\"og:description\" content=\"Esri has recently discovered a critical vulnerability in ArcGIS Server and has released\u00a0a patch to address this issue.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-enterprise\/administration\/critical-security-patch-for-arcgis-server-released\" \/>\n<meta property=\"og:site_name\" content=\"ArcGIS Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/esrigis\/\" \/>\n<meta property=\"article:modified_time\" content=\"2020-04-06T14:59:41+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@ESRI\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":[\"Article\",\"BlogPosting\"],\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-enterprise\/administration\/critical-security-patch-for-arcgis-server-released#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-enterprise\/administration\/critical-security-patch-for-arcgis-server-released\"},\"author\":{\"name\":\"Randall Williams\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/6257d65f342fee9c48e7f16f9a428959\"},\"headline\":\"Critical Security patch for ArcGIS Server Released\",\"datePublished\":\"2020-04-01T22:01:28+00:00\",\"dateModified\":\"2020-04-06T14:59:41+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-enterprise\/administration\/critical-security-patch-for-arcgis-server-released\"},\"wordCount\":7,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#organization\"},\"keywords\":[\"ArcGIS Enterprise\",\"ArcGIS Server\",\"ArcGIS Trust Center\",\"security patch\",\"vulnerability\"],\"articleSection\":[\"Administration\",\"Announcements\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-enterprise\/administration\/critical-security-patch-for-arcgis-server-released#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-enterprise\/administration\/critical-security-patch-for-arcgis-server-released\",\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-enterprise\/administration\/critical-security-patch-for-arcgis-server-released\",\"name\":\"Critical Security patch for ArcGIS Server Released\",\"isPartOf\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#website\"},\"datePublished\":\"2020-04-01T22:01:28+00:00\",\"dateModified\":\"2020-04-06T14:59:41+00:00\",\"description\":\"Esri has recently discovered a critical vulnerability in ArcGIS Server and has released\u00a0a patch to address this issue.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-enterprise\/administration\/critical-security-patch-for-arcgis-server-released#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-enterprise\/administration\/critical-security-patch-for-arcgis-server-released\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-enterprise\/administration\/critical-security-patch-for-arcgis-server-released#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.esri.com\/arcgis-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Critical Security patch for ArcGIS Server Released\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#website\",\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/\",\"name\":\"ArcGIS Blog\",\"description\":\"Get insider info from Esri product teams\",\"publisher\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.esri.com\/arcgis-blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#organization\",\"name\":\"Esri\",\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/04\/Esri.png\",\"contentUrl\":\"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/04\/Esri.png\",\"width\":400,\"height\":400,\"caption\":\"Esri\"},\"image\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/esrigis\/\",\"https:\/\/x.com\/ESRI\",\"https:\/\/www.linkedin.com\/company\/5311\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/6257d65f342fee9c48e7f16f9a428959\",\"name\":\"Randall Williams\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/08\/softwaresecurity.png\",\"contentUrl\":\"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/08\/softwaresecurity.png\",\"caption\":\"Randall Williams\"},\"sameAs\":[\"https:\/\/trust.arcgis.com\"],\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/author\/randallwilliams\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Critical Security patch for ArcGIS Server Released","description":"Esri has recently discovered a critical vulnerability in ArcGIS Server and has released\u00a0a patch to address this issue.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-enterprise\/administration\/critical-security-patch-for-arcgis-server-released","og_locale":"en_US","og_type":"article","og_title":"Critical Security patch for ArcGIS Server Released","og_description":"Esri has recently discovered a critical vulnerability in ArcGIS Server and has released\u00a0a patch to address this issue.","og_url":"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-enterprise\/administration\/critical-security-patch-for-arcgis-server-released","og_site_name":"ArcGIS Blog","article_publisher":"https:\/\/www.facebook.com\/esrigis\/","article_modified_time":"2020-04-06T14:59:41+00:00","twitter_card":"summary_large_image","twitter_site":"@ESRI","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":["Article","BlogPosting"],"@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-enterprise\/administration\/critical-security-patch-for-arcgis-server-released#article","isPartOf":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-enterprise\/administration\/critical-security-patch-for-arcgis-server-released"},"author":{"name":"Randall Williams","@id":"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/6257d65f342fee9c48e7f16f9a428959"},"headline":"Critical Security patch for ArcGIS Server Released","datePublished":"2020-04-01T22:01:28+00:00","dateModified":"2020-04-06T14:59:41+00:00","mainEntityOfPage":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-enterprise\/administration\/critical-security-patch-for-arcgis-server-released"},"wordCount":7,"commentCount":0,"publisher":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/#organization"},"keywords":["ArcGIS Enterprise","ArcGIS Server","ArcGIS Trust Center","security patch","vulnerability"],"articleSection":["Administration","Announcements"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-enterprise\/administration\/critical-security-patch-for-arcgis-server-released#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-enterprise\/administration\/critical-security-patch-for-arcgis-server-released","url":"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-enterprise\/administration\/critical-security-patch-for-arcgis-server-released","name":"Critical Security patch for ArcGIS Server Released","isPartOf":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/#website"},"datePublished":"2020-04-01T22:01:28+00:00","dateModified":"2020-04-06T14:59:41+00:00","description":"Esri has recently discovered a critical vulnerability in ArcGIS Server and has released\u00a0a patch to address this issue.","breadcrumb":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-enterprise\/administration\/critical-security-patch-for-arcgis-server-released#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-enterprise\/administration\/critical-security-patch-for-arcgis-server-released"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-enterprise\/administration\/critical-security-patch-for-arcgis-server-released#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.esri.com\/arcgis-blog\/"},{"@type":"ListItem","position":2,"name":"Critical Security patch for ArcGIS Server Released"}]},{"@type":"WebSite","@id":"https:\/\/www.esri.com\/arcgis-blog\/#website","url":"https:\/\/www.esri.com\/arcgis-blog\/","name":"ArcGIS Blog","description":"Get insider info from Esri product teams","publisher":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.esri.com\/arcgis-blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.esri.com\/arcgis-blog\/#organization","name":"Esri","url":"https:\/\/www.esri.com\/arcgis-blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/04\/Esri.png","contentUrl":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/04\/Esri.png","width":400,"height":400,"caption":"Esri"},"image":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/esrigis\/","https:\/\/x.com\/ESRI","https:\/\/www.linkedin.com\/company\/5311\/"]},{"@type":"Person","@id":"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/6257d65f342fee9c48e7f16f9a428959","name":"Randall Williams","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/image\/","url":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/08\/softwaresecurity.png","contentUrl":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/08\/softwaresecurity.png","caption":"Randall Williams"},"sameAs":["https:\/\/trust.arcgis.com"],"url":"https:\/\/www.esri.com\/arcgis-blog\/author\/randallwilliams"}]}},"text_date":"April 1, 2020","author_name":"Randall Williams","author_page":"https:\/\/www.esri.com\/arcgis-blog\/author\/randallwilliams","custom_image":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2025\/08\/Newsroom-Keyart-Wide-1920-x-1080.jpg","primary_product":"ArcGIS Enterprise","tag_data":[{"term_id":42301,"name":"ArcGIS Enterprise","slug":"arcgis-enterprise","term_group":0,"term_taxonomy_id":42301,"taxonomy":"post_tag","description":"","parent":0,"count":210,"filter":"raw"},{"term_id":23591,"name":"ArcGIS Server","slug":"arcgis-server","term_group":0,"term_taxonomy_id":23591,"taxonomy":"post_tag","description":"","parent":0,"count":53,"filter":"raw"},{"term_id":24081,"name":"ArcGIS Trust Center","slug":"ssamymlgp","term_group":0,"term_taxonomy_id":24081,"taxonomy":"post_tag","description":"","parent":0,"count":96,"filter":"raw"},{"term_id":30141,"name":"security patch","slug":"security-patch","term_group":0,"term_taxonomy_id":30141,"taxonomy":"post_tag","description":"","parent":0,"count":20,"filter":"raw"},{"term_id":35281,"name":"vulnerability","slug":"vulnerability","term_group":0,"term_taxonomy_id":35281,"taxonomy":"post_tag","description":"","parent":0,"count":8,"filter":"raw"}],"category_data":[{"term_id":37501,"name":"Administration","slug":"administration","term_group":0,"term_taxonomy_id":37501,"taxonomy":"category","description":"","parent":0,"count":428,"filter":"raw"},{"term_id":37101,"name":"Announcements","slug":"announcements","term_group":0,"term_taxonomy_id":37101,"taxonomy":"category","description":"","parent":0,"count":1976,"filter":"raw"}],"product_data":[{"term_id":36571,"name":"ArcGIS Enterprise","slug":"arcgis-enterprise","term_group":0,"term_taxonomy_id":36571,"taxonomy":"product","description":"","parent":0,"count":979,"filter":"raw"}],"primary_product_link":"https:\/\/www.esri.com\/arcgis-blog\/?s=#&products=arcgis-enterprise","_links":{"self":[{"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/blog\/794981","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/blog"}],"about":[{"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/types\/blog"}],"author":[{"embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/users\/5311"}],"replies":[{"embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/comments?post=794981"}],"version-history":[{"count":0,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/blog\/794981\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/media?parent=794981"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/categories?post=794981"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/tags?post=794981"},{"taxonomy":"industry","embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/industry?post=794981"},{"taxonomy":"product","embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/product?post=794981"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}