English

ArcGIS Web Adaptor for Java Security (January 2015) Patch

Summary

Esri recommends the installation of this security patch for the Web Adaptor for Java versions 10.2.1 and 10.2.2. If the Java application server hosting the ArcGIS Web Adaptor uses Java 6, this patch is required to disable SSLv3 and prevent the POODLE vulnerability. Java Application Servers that use Java 7 and the ArcGIS Web Adaptor for IIS are not affected by this issue. This patch is specifically for the versions 10.2.1 and 10.2.2.

Description

Introduction

Esri® announces the ArcGIS Web Adaptor for Java Security (January 2015) Patch. This patch addresses the POODLE security vulnerability with Java application servers that use Java version 6. Installations of the ArcGIS Web Adaptor for Java 10.2.1 and 10.2.2 are affected. Please upgrade to ArcGIS Web Adaptor for Java 10.2.1 or 10.2.2 first, before applying the patch. This patch deals specifically with the issue listed under Issues Addressed with this Patch.


Esri strongly recommends the installation of the latest security patches on all products. You must install the ArcGIS for Server Security (January 2015) Patch and Portal for ArcGIS Security (January 2015) Patch along with this Patch.


Issues Addressed with this patch


  • BUG-000083723 - The Java web adaptor fails to forward requests if Java 6 is used and SSLv3 is disabled on ArcGIS for Server or Portal for ArcGIS.

Installing this patch on Windows

Installation Steps:

Web Adaptor for Java must be installed before installing this patch.

  1. Download the appropriate file to a location other than your Web Adaptor for Java installation location.

  2.     Checksum (Md5)
    Web Adaptor for Java 10.2.1 ArcGIS-1021-WAJ-SEC-JAN2015-Patch.msp 7A50038F0E49BF5178ADAB031EB629E3
         
    Web Adaptor for Java 10.2.2 ArcGIS-1022-WAJ-SEC-JAN2015-Patch.msp 59B450D9FA31FE9DDFEBD1506E663417
         

  3. Make sure you have write access to your Web Adaptor for Java installation location.

  4. Double-click ArcGIS-<Version>-WAJ-SEC-JAN2015-Patch.msp to start the setup process.

    NOTE: If double clicking on the MSP file does not start the setup installation, you can start the setup installation manually by using the following command:

    msiexec.exe /p [location of Patch]\ArcGIS-<Version>-WAJ-SEC-JAN2015-Patch.msp

  5. Look for the arcgis.war file under the java folder in your Web Adaptor for Java Installation location. Redeploy this arcgis.war to your Java application server. After redeployment, reconfigure the web adaptor to work with the Portal for ArcGIS or the ArcGIS for Server site.

Installing this patch on Linux

Installation Steps:

Complete the following install steps as the Web Adaptor for Java Install owner. The Install owner is the owner of the arcgis folder.

Web Adaptor for Java must be installed before installing this patch.

  1. Download the appropriate file to a location other than your Web Adaptor for Java installation location.


        Checksum (Md5)
    Web Adaptor for Java 10.2.1 ArcGIS-1021-WAJ-SEC-JAN2015-Patch-lx.tar FF2E1800D5833D71A5430BA5A9C52411
         
    Web Adaptor for Java 10.2.2 ArcGIS-1022-WAJ-SEC-JAN2015-Patch-lx.tar E3F61164693A0B1B18C82D4FD5E09D27
         

  2. Make sure you have write access to your Web Adaptor for Java installation location, and that no one is using Web Adaptor for Java.

  3. Extract the specified tar file by typing:

    % tar -xvf ArcGIS-<Version>-WAJ-SEC-JAN2015-Patch-lx.tar

  4. Start the installation by typing:

    % ./applypatch

    This will start the dialog for the menu-driven installation procedure. Default selections are noted in parentheses ( ). To quit the installation procedure, type 'q' at any time.

  5. Look for the arcgis.war file under the java folder in your Web Adaptor for Java Installation location. Redeploy this arcgis.war to your Java application server. After redeployment, reconfigure the web adaptor to work with the Portal for ArcGIS or the ArcGIS for Server site.

Uninstalling this patch

To uninstall this patch on Windows, open the Windows Control Panel and navigate to installed programs. Make sure that "View installed updates" (upper left side of the Programs and Features dialog) is active. Select the ArcGIS Web Adaptor for Java Security (January 2015) Patch from the programs list and click Uninstall to remove the patch.

To uninstall this patch on Linux, you will need to completely uninstall the ArcGIS Web Adaptor for Java product. For more information regarding uninstalling ArcGIS Web Adaptor for Java please see the Uninstalling ArcGIS Web Adaptor page.

Patch Updates

Check the Patches and Service Packs page periodically for the availability of additional patches. New information about this patch will be posted here.

February 17, 2015: The setups for ArcGIS Web Adaptor for Java 10.2.2 are now available.

How to identify which ArcGIS products are installed

To determine which ArcGIS products are installed, choose the appropriate version of the PatchFinder utility for your environment and run it from your local machine. PatchFinder will list all products, hot fixes, and patches installed on your local machine.

Getting Help

Domestic sites, please contact Esri Technical Support at 1-888-377-4575, if you have any difficulty installing this patch. International sites, please contact your local Esri software distributor.