English

ArcSDE 8.3 Three Tiered Connection Security Patch

Summary

This patch prevents the ArcSDE service from being affected by malicious connection packets.

Description


Issues Addressed with this Patch

    NIM007075 - The giomgr can be crashed by sending extra characters in the connectiion string.

    Description

    A security issue has been identified where it is theoretically possible for someone to create a connection packet that could cause the ArcSDE server to crash when using three tiered ArcSDE configurations (i.e., app server). Sending a maliciously-crafted connection packet to an ArcSDE service can crash the service. This will not happen under normal use of the software and we are unaware of any occasion when anyone has created one of these malicious packets. Therefore ESRI considers the risk of an attack to be very low. As a precaution ESRI has developed this patch to ArcSDE that will remove the ability for someone to create a malicious packet that could cause the system to crash and thereby secures the ArcSDE service against such an attack

Installing the Patch

ArcSDE 8.3 Service Pack 2 must be installed before you can install this Patch. It is strongly recommended that you back up your database including all previous ArcSDE system tables and user layer data before upgrading your ArcSDE installation. Install this Patch using your SDE user account.

Server Install for UNIX


Installation Steps:


During installation, you can either save the original 8.3 files or overwrite them. If you choose to save them, make sure you have enough disk space. The disk space requirements, for each platform, are displayed during the installation process.

  1. Download the appropriate tar file to a location other than $SDEHOME:
  2. DB2  
    IBM (coming soon)
    2 MB
       
    Informix  
    HP sde83-securitypatch-inf-hp.tar
    2 MB
    IBM sde83-securitypatch-inf-ibm.tar
    2 MB
    Solaris sde83-securitypatch-inf-slrs.tar
    2 MB
       
    Oracle 8i  
    HP (coming soon)
    3 MB
    IBM sde83-securitypatch-ora8i-ibm.tar
    2 MB
    Solaris sde83-securitypatch-ora8i-slrs.tar
    3 MB
    Tru64 sde83-securitypatch-ora8i-tru64.tar
    3 MB
       
    Oracle 9i  
    HP64 (coming soon)
    3 MB
    Linux sde83-securitypatch-ora9i-linux.tar
    2 MB
    Solaris sde83-securitypatch-ora9i-slrs.tar
    3 MB
    Solaris64 sde83-securitypatch-ora9i-slrs64.tar
    3 MB
    Tru64 sde83-securitypatch-ora9i-tru64.tar
    3 MB

  3. Stop your current ArcSDE service.


  4. % sdemon -o shutdown

  5. Extract the specified tar file by typing:


  6. % tar -xvf sde83-securitypatch-<Database>-<Platform>.tar

  7. Start the installation by typing:


  8. % ./applypatch

    This will start the dialog for the menu-driven installation procedure. Default selections are noted in parentheses ( ). To quit the installation procedure, type 'q' at any time.

  9. Start your service again.


  10. % sdemon -o start

Server Install for Windows


    Windows Installation Notes:

Installation Steps


  1. Make sure you have write access to the ArcSDE installation folder, that no one is using ArcSDE, and that the ArcSDE service is down.


  2. Download the appropriate files to a location other than the ArcSDE installation folder:
  3. DB2  
    sde83-securitypatch-db2-win.exe 1 MB
    Informix  
    sde83-securitypatch-inf-win.exe 1 MB
    Oracle 8i  
    sde83-securitypatch-ora8i-win.exe 1 MB
    Oracle 9i  
    sde83-securitypatch-ora9i-win.exe 1 MB
    SQL Server  
    sde83-securitypatch-sql-win.exe 1 MB

  4. Double-click the appropriate executable to start the install process.


  5. When Setup starts, follow the instructions on your screen.


  6. As the SDE user, run the following command to restart the ArcSDE service:

    sdemon -o start

How to identify which Patch is installed


    UNIX

    Any modified UNIX executables (or libraries) being sent out as part of a Patch will return the unique identification number for that fix when checked with the "what" command for UNIX and the "strings" command for Linux. For example, to display the identification string for this Patch on UNIX, type:

      %what gsrvr.static | grep QFE

      QFE-SDE-83-CQ00303308

    Windows

    To check for the presence of a Patch, for each file examine the unique identification information provided (right click, properties, version tab, item name, QFE Version). With only a few exceptions, all files modified as part of a Patch distribution can be uniquely identified in this manner. The identification string for this Patch should read:

      QFE-SDE-83-CQ00303308

Patch Updates

Check the Online Support Center periodically for the availability of additional Patches or Service Packs. New information about this Patch will be posted here.

    UPDATE 4/11/2007 - Now Available:

    • The ArcSDE Informix downloads for HP and IBM.

Getting Help

Domestic sites, please contact ESRI Technical Support at 1-888-377-4575, if you have any difficulty installing this Patch. International sites, please contact your local ESRI software distributor.