English

ArcGIS Server 10 SP5 Security Patch

Summary

This patch addresses two security vulnerabilities in ArcGIS Server that expose internal information via map and feature service queries. It is recommended that all ArcGIS Server customers using enterprise geodatabases or query layers with ArcGIS Server apply this patch immediately.

Description

Introduction

Esri® announces the ArcGIS Server 10 SP5 Security Patch. This patch addresses two security vulnerabilities in ArcGIS Server that expose internal information via map and feature service queries. ArcGIS Server map and feature services typically allow queries using a where clause against layers in a map. When certain values are provided via the where clause, it is possible to obtain internal information from the relational database including the name of the table owner, the name of the machine where the database resides, and information stored in database system tables that the database account has access to. It deals specifically with the issues listed below under Issues Addressed with this Patch.

Issues Addressed with this Patch


  • NIM085361 - ArcGIS Server reveals fully qualified table names for layers within a feature service.

    Description: This defect causes the fully qualified table name of a feature class to be returned in error messages. Fully-qualified table names often include the name of the table owner and the name of the machine.

  • NIM084249 - Union Select and Union All SQL statements can be inserted into the where statement of an ArcGIS Server query.

    Description: This is a SQL injection defect that allows the insertion of a UNION ALL or a UNION SELECT into a where clause that allows the appending of data from other tables into the result. This can result information from database system tables being revealed.

Files Installed in this Patch


Under the Windows <ArcGIS Product Installation Directory>\bin folder:
    FdaCore.dll
    FeatureServer.dll
Under the Linux <ArcGIS Product Installation Directory>/bin folder:
    libfdacore.so
    fdacore.rsb
    featureserver.rsb
    libfeatureserver.so
Under the Linux <ArcGIS Product Installation Directory>/com folder:
    esrigeodatabase.olb
    libesrigeodatabase.so
    esrigeodatabase.rsb

Installing this Patch on Windows

Installation Notes:

System Administrators: A technical paper is available that discusses the enterprise deployment of ArcGIS 10.1 setups using Microsoft Systems Management Server (SMS), System Center Configuration Manager (SCCM), and Group Policy, including additional system requirements, suggestions, known issues, and Microsoft Software Installation (MSI) command line parameters. Deployment in a lockdown environment is also covered. ArcGIS 10.1 Enterprise Deployment.

Installation Steps:

ArcGIS Server 10 Service Pack 5 must be installed before you can install this patch.

  1. Download the appropriate file to a location other than your ArcGIS installation location.

  2.     Checksum
    ArcGIS Server GIS Services ArcGIS-10SP5-SGIS-Security-Patch.msp 0A8261B164B25197C8CF481EB532D027
    ArcGIS Server Java ArcGIS-10SP5-SJ-Security-Patch.msp D74153F1E50FAFA71D2B3D0B1868FA9A

  3. Make sure you have write access to your ArcGIS installation location.

  4. Server for .Net Installation Only: From your Services control panel, stop the ArcGIS Server Object Manager and ArcGIS SOC Monitor.

    Server for Java Installation Only: From your Services control panel, stop the ArcGIS Server Manager Service, ArcGIS Server Object Manager and ArcGIS SOC Monitor.

  5. Double-click ArcGIS-101SP1-S-Security-Patch.msp to start the install process.

    NOTE: If double clicking on the MSP file does not start the Patch installation, you can start the Patch installation manually by using the following command:

    msiexec.exe /p [location of Patch]\ArcGIS-101SP1-S-Security-Patch.msp

  6. Server for .Net Installation Only: From your Services control panel, start the ArcGIS Server Object Manager and ArcGIS SOC Monitor.

    Server for Java Installation Only: From your Services control panel, start the ArcGIS Server Manager Service, ArcGIS Server Object Manager and ArcGIS SOC Monitor.

Installing this Patch on Linux


Complete the following install steps as the ArcGIS Install owner. The Install owner is the owner of the arcgis folder.

ArcGIS Server 10 Service Pack 5 must be installed before you can install this patch.

  1. Download the appropriate file to a location other than your ArcGIS installation location.


        Checksum
    ArcGIS Server ArcGIS-10SP5-S-Security-Patch-lx.tar 08F0D36347E06A40983C091F5230C618

  2. Make sure you have write access to your ArcGIS installation location, and that no one is using ArcGIS.

  3. ArcGIS Server only: stop the ArcGIS server service by typing:

    % <ArcGIS Server installation directory>/arcgis/server10.0/stopserver

  4. Extract the specified tar file by typing:

    % tar -xvf ArcGIS-10SP5-S-Security-Patch-lx.tar

  5. Start the installation by typing:

    % ./applypatch

    This will start the dialog for the menu-driven installation procedure. Default selections are noted in parentheses ( ). To quit the installation procedure, type 'q' at any time.

  6. ArcGIS Server only: start the ArcGIS Server service by typing:

    % <ArcGIS Server installation directory>/arcgis/server10.0/startserver

Patch Updates

Check the Patches and Service Packs page periodically for the availability of additional patches. New information about this Patch will be posted here.

How to identify which Patch is installed

To determine which ArcGIS products are installed, Choose the appropriate version of the PatchFinder utility for your environment and run it from your local machine.

Getting Help

Domestic sites, please contact Esri Technical Support at 1-888-377-4575, if you have any difficulty installing this Patch. International sites, please contact your local Esri software distributor.