English

ArcGIS 9.3.1 SP2 for Server Security Patch

Summary

This patch addresses two security vulnerabilities in ArcGIS Server that expose internal information via map and feature service queries. It is recommended that all ArcGIS Server customers using enterprise geodatabases or query layers with ArcGIS Server apply this patch immediately.

Description

Introduction

Esri® announces the ArcGIS 9.3.1 SP2 for Server Security Patch. This patch address two security vulnerabilities in ArcGIS Server that expose internal information via map and feature service queries. ArcGIS Server map and feature services typically allow queries using a where clause against layers in a map. When certain values are provided via the where clause, it is possible to obtain internal information from the relational database including the name of the table owner, the name of the machine where the database resides, and information stored in database system tables that the database account has access to. It deals specifically with the issues listed below under Issues Addressed with this Patch.

Issues Addressed with this Patch


  • NIM084249 - Union Select and Union All SQL statements can be inserted into the where statement of an ArcGIS Server query.

    Description: This is a SQL injection defect that allows the insertion of a UNION ALL or a UNION SELECT into a where clause that allows the appending of data from other tables into the result. This can result information from database system tables being revealed.

Files Installed in this Patch


Under the Windows <ArcGIS Product Installation Directory>\bin folder:
    CartoXLib.dll
    FeatureServer.dll
    GdbCore.dll
Under the Linux <ArcGIS Product Installation Directory>/bin folder:
    CartoXLib.dll
    FeatureServer.dll
    GdbCore.dll

Installing this Patch on Windows

Installation Steps:

ArcGIS (Desktop, Engine, Server) 9.3.1 Service Pack 2 Quality Improvement Patch must be installed before you can install this patch.

  1. Download the appropriate file to a location other than your ArcGIS installation location.

  2.     Checksum
    ArcGIS for Server ArcGIS-931SP2QIP-S-SEC-Patch.exe A5C7CD4D5E26977B638A360D1A674068

  3. Make sure you have write access to your ArcGIS installation location.

  4. For ArcGIS Server for the Microsoft .NET Framework Only: Open the Services Management Console> Control Panel > Administrative Tools > Services. Stop the ArcGIS Server Object Manager and ArcGIS Server SOC Monitor services.

    For ArcGIS Server Java Only: Open the Services Management Console> Control Panel > Administrative Tools > Services. Stop the ArcGIS Server Object Manager; ArcGIS Server SOC Monitor and ArcGIS Server Manager services.

  5. Double-click ArcGIS-931SP2QIP-S-SEC-Patch.exe to start the install process.

    NOTE: If double clicking on the MSP file does not start the Patch installation, you can start the Patch installation manually by using the following command:

    msiexec.exe /p [location of Patch]\ArcGIS-931SP2QIP-S-SEC-Patch.exe

  6. For ArcGIS Server for the Microsoft .NET Framework Only: Open the Services Management Console> Control Panel > Administrative Tools > Services. Start the ArcGIS Server Object Manager and ArcGIS Server SOC Monitor services.

    For ArcGIS Server Java Only: Open the Services Management Console> Control Panel > Administrative Tools > Services. Start the ArcGIS Server Object Manager; ArcGIS Server SOC Monitor and ArcGIS Server Manager services.

Installing this Patch on Linux


Complete the following install steps as the ArcGIS Install owner. The Install owner is the owner of the arcgis folder.

ArcGIS (Desktop, Engine, Server) 9.3.1 Service Pack 2 Quality Improvement Patch must be installed before you can install this patch.

  1. Download the appropriate file to a location other than your ArcGIS installation location.


        Checksum
    ArcGIS for Server ArcGIS-931SP2QIP-S-SEC-Patch-lx.tar C68AF6EB22B86FE9BBF5C43E54D142C3

  2. Make sure you have write access to your ArcGIS installation location, and that no one is using ArcGIS.

  3. ArcGIS for Server only: stop the ArcGIS server service by typing:

    % arcgis/scripts/stopserver

  4. Extract the specified tar file by typing:

    % tar -xvf ArcGIS-931SP2QIP-S-SEC-Patch-lx.tar

  5. Start the installation by typing:

    % ./applypatch

    This will start the dialog for the menu-driven installation procedure. Default selections are noted in parentheses ( ). To quit the installation procedure, type 'q' at any time.

  6. ArcGIS for Server only: start the ArcGIS Server service by typing:

    % arcgis/scripts/startserver

Patch Updates

Check the Patches and Service Packs page periodically for the availability of additional patches. New information about this Patch will be posted here.

How to identify which Patch is installed

To determine which ArcGIS products are installed, Choose the appropriate version of the PatchFinder utility for your environment and run it from your local machine.

Getting Help

Domestic sites, please contact Esri Technical Support at 1-888-377-4575, if you have any difficulty installing this Patch. International sites, please contact your local Esri software distributor.