English

ArcGIS 10.1 SP1, 10.2.1, and 10.2.2 Web Adaptor for IIS Security (August 2014) Patch

Summary

Esri recommends the installation of this security patch for the web adaptor for IIS versions 10.1 - 10.2.2. This patch addresses serious security vulnerabilities in the web adaptor for IIS (the web adaptor for the Java platform is not affected by these vulnerabilities). This patch is specifically for the versions 10.1 SP 1, 10.2.1 or 10.2.2. Customers who are using 10.1 or 10.2 should apply 10.1 Service Pack 1 or 10.2.2 first.

Description

Introduction

Esri® announces the ArcGIS 10.1 SP1, 10.2.1, and 10.2.2 Web Adaptor for IIS Security (August 2014) Patch. This patch addresses two serious security vulnerabilities in the web adaptor. All installations of the Web Adaptor for IIS 10.1 through 10.2.2 are affected. This patch needs to be applied on the latest security baselines for each version (10.1 SP1 and 10.2.2). Please apply the appropriate service pack (10.1 SP1 or 10.2.2) first before applying the patch if not at the latest security baseline. This patch deals specifically with the issues listed below under Issues Addressed with this Patch.


Issues Addressed with this patch


  • NIM102891 - ArcGIS Web Adaptor on IIS does not enforce authorization on a restricted URL.
  • NIM102631 - Web Adaptor on IIS contains a cross-site scripting (XSS) vulnerability.

Please see Knowledge Base - Technical Article 41548 for more information.


Installing this patch on Windows

Installation Steps:

ArcGIS Web Adaptor for IIS must be installed before installing this patch.

  1. Download the appropriate file for your environment to a location other than your ArcGIS installation location.

  2. Version 10.1 Service Pack 1   Checksum (Md5)
         
          ArcGIS Web Adaptor ArcGIS-101SP1-WAI-SEC-Patch.msp 53FE342B1096CE3DBE4C94AC16C4B139
         
    Version 10.2.1   Checksum (Md5)
         
          ArcGIS Web Adaptor ArcGIS-1021-WAI-SEC-Patch.msp 0FF0E84950C4DC70739BC08DEB9DCE5A
         
    Version 10.2.2   Checksum (Md5)
         
          ArcGIS Web Adaptor ArcGIS-1022-WAI-SEC-Patch.msp E0F9AD5A8542E791415F7F3006D395CF
         

  3. Make sure you have write access to your ArcGIS installation location.

  4. Double-click the appropriate setup to start the setup process.

    NOTE: If double clicking on the MSP file does not start the setup installation, you can start the setup installation manually by using the following command:

    msiexec.exe /p [location of Patch]\ArcGIS-<Version>-<Product>-SEC-Patch.msp

Installation Notes:


While installing the patch, IIS will be restarted and resources accessed through the Web Adaptor will be temporarily unavailable.

If a machine has multiple IIS Web Adaptors installed on it, launching the patch will trigger the installation wizard to run once for all the Installed Web Adaptors.

After applying the patch to a Web Adaptor, you may choose to install additional Web Adaptors. Installing additional Web Adaptors will require applying the patch again. Until the patch is applied again, opening the configuration page for a new Web Adaptor will fail with an IIS error.

After applying the patch, you do not need to open the configuration page to register the Web Adaptor again.

Patch Updates

Check the Patches and Service Packs page periodically for the availability of additional patches. New information about this patch will be posted here.

September 2, 2014: A link to Knowledge Base - Technical Article 41548 has been added.

October 2, 2014: Additional installation notes added.

How to identify which ArcGIS products are installed

To determine which ArcGIS products are installed, choose the appropriate version of the PatchFinder utility for your environment and run it from your local machine. PatchFinder will list all products, hot fixes, and patches installed on your local machine.


Getting Help

Domestic sites, please contact Esri Technical Support at 1-888-377-4575, if you have any difficulty installing this patch. International sites, please contact your local Esri software distributor.