English

ArcGIS 10.1 SP1 for Server Security Patch (September 2013)

Summary

This patch addresses security vulnerabilities that affect ArcGIS 10.1 SP1 for Server. It is recommended that all ArcGIS Server customers apply this patch immediately.

Description

Introduction

Esri® announces the ArcGIS 10.1 SP1 for Server Security Patch (September 2013). This patch addresses two cross-site scripting vulnerabilities. The first vulnerability is a a persistent cross-site scripting vulnerability that requires administrative access in order to exploit. The second vulnerability is a non-persistent cross-site scripting vulnerability. For further details please read the knowledge base article 41468 for the persistent cross-site scripting vulnerability and article 41498 for the non-persistent cross-site scripting vulnerability.

This patch also addresses a vulnerability that allows authenticated administrators to upload any type of file including potentially unsafe files.

This patch also provides a new security option for administrators. ArcGIS for Server allows tokens to be acquired through HTTP GET requests. This patch provides a new option to only grant tokens when an HTTP POST is used. HTTP GET requests expose credentials in the request URL in plain text format which may be stored in browser history or in network components. To learn more about this feature and how to activate it, please see the following help topics:

Finally the patch addresses a SQL-injection vulnerability that affects ArcGIS for Server deployments with relational databases such as SQL Server, Oracle, PostgreSQL, DB2, or Informix. The SQL-injection vulnerability allows unauthorized modification of data. It deals specifically with the issues listed below under Issues Addressed with this Patch.


Issues Addressed with this Patch


  • NIM092795 - The File Upload Filter for mobile content directories should block an upload of unwanted file types.

  • NIM092820 - The Mobile Content Directory in ArcGIS Server 10.1 SP1 has persistent cross site scripting vulnerabilities.

  • NIM092841 - Add a configurable property to the ArcGIS token service that disables support for HTTP GET.

  • NIM092874 - Code passed to ArcGIS Server through a parameterized/injected query results in an un-sanitized response.

  • NIM093858 - The REST API should ignore invalid query parameters.

  • NIM094447 - There is a SQL injection vulnerability in map and feature services that allows unauthorized modification of data.

Files Installed with this Patch


Under <ArcGIS Product Installation>/bin:
    FeatureDataElements.dll
    FileGDB.dll
    GdbCore.dll
    GdbCoreLib.dll
    GdbDataTransfer.dll
    GdbNetwork.dll
    MappingServicesLib.dll
    MapServerX.dll
Under <ArcGIS Product Installation>/help/SDK/REST:
    index.html
Under <ArcGIS Product Installation>/framework/lib/server:
    arcgis-admin.jar
    arcgis-mcs-framework.jar
    arcgis-resources.jar
    arcgis-securitylib.jar
Under <ArcGIS Product Installation>framework/runtime/tomcat/contexts/rootapp:
    404.jsp
Under <ArcGIS Product Installation>/framework/runtime/tomcat/webapps:
    arcgis#mobile
Under <ArcGIS Product Installation>/framework/runtime/tomcat/webapps/arcgis#services/WEB-INF/lib:
    arcgis-securitylib.jar
Under <ArcGIS Product Installation>/framework/runtime/tomcat/webapps/arcgis#rest/WEB-INF/lib:
    arcgis-securitylib.jar
Under <ArcGIS Product Installation>/framework/runtime/tomcat/webapps/arcgis#mobile/WEB-INF/lib:
    arcgis-securitylib.jar
Under <ArcGIS Product Installation>/framework/runtime/tomcat/webapps/arcgis#tokens/WEB-INF/lib:
    arcgis-securitylib.jar

Installing this Patch on Windows

Installation Notes:

System Administrators: A technical paper is available that discusses the enterprise deployment of ArcGIS 10.1 SP1 setups using Microsoft Systems Management Server (SMS), System Center Configuration Manager (SCCM), and Group Policy, including additional system requirements, suggestions, known issues, and Microsoft Software Installation (MSI) command line parameters. Deployment in a lockdown environment is also covered. ArcGIS 10.1 SP1 Enterprise Deployment.

Installation Steps:

ArcGIS 10.1 SP1 for Server must be installed before you can install this patch.

  1. Download the appropriate file to a location other than your ArcGIS installation location.

  2.     Checksum (Md5)
    ArcGIS for Server ArcGIS-101SP1-S-SSEC-Patch.msp AFAAE9FEA8C25525DA83F32035B05345

  3. Make sure you have write access to your ArcGIS installation location.

  4. Open the Services Management Console> Control Panel > Administrative Tools > Services. Stop the ArcGIS Server service.

  5. Double-click ArcGIS-101SP1-S-SSEC-Patch.msp to start the install process.

    NOTE: If double clicking on the MSP file does not start the setup installation, you can start the setup installation manually by using the following command:

    msiexec.exe /p [location of Patch]\ArcGIS-101SP1-S-SSEC-Patch.msp

  6. Open the Services Management Console> Control Panel > Administrative Tools > Services. Start the ArcGIS Server service.

Installing this Patch on Linux

Installation Notes:

System Administrators: A technical paper is available that discusses the enterprise deployment of ArcGIS 10.1 SP1 setups using Microsoft Systems Management Server (SMS), System Center Configuration Manager (SCCM), and Group Policy, including additional system requirements, suggestions, known issues, and Microsoft Software Installation (MSI) command line parameters. Deployment in a lockdown environment is also covered. ArcGIS 10.1 SP1 Enterprise Deployment.

Installation Steps:

Complete the following install steps as the ArcGIS Install owner. The Install owner is the owner of the arcgis folder.

ArcGIS 10.1 SP1 for Server must be installed before you can install this patch.

  1. Download the appropriate file to a location other than your ArcGIS installation location.

  2.     Checksum (md5)
    ArcGIS Server ArcGIS-101SP1-S-SSEC-Patch-lx.tar FBB873E0EFF9FC3F7733E94ECADB055F

  3. Make sure you have write access to your ArcGIS installation location, and that no one is using ArcGIS.

  4. Stop the ArcGIS server service by typing:

    % <ArcGIS Server installation directory>/arcgis/server/stopserver.sh

  5. Extract the specified tar file by typing:

    % tar -xvf ArcGIS-101SP1-S-SSEC-Patch-lx.tar

  6. Start the Installation by typing:

    % ./applypatch

    This will start the dialog for the menu-driven setup procedure. Default selections are noted in parentheses ( ). To quit the setup procedure, type 'q' at any time.

  7. Start the ArcGIS server service by typing:
    % <ArcGIS Server installation directory>/arcgis/server/startserver.sh


Patch Updates

Check the Patches and Service Packs page periodically for the availability of additional patches. New information about this patch will be posted here.

February 10, 2014: This patch was updated on February 10 to address an additional cross-site scripting vulnerability reported in NIM092874. Esri recommends that customers who have previously downloaded this patch, update the patch to get this fix.

How to identify which ArcGIS products are installed

To determine which ArcGIS products are installed, choose the appropriate version of the PatchFinder utility for your environment and run it from your local machine. PatchFinder will list all products, hot fixes, and patches installed on your local machine.

Getting Help

Domestic sites, please contact Esri Technical Support at 1-888-377-4575, if you have any difficulty installing this patch. International sites, please contact your local Esri software distributor.