English

ArcGIS for Server (Linux) Security 2016 Update 1 Patch

Summary

This security patch addresses a security vulnerability found in ArcGIS for Server (Linux only). Esri recommends that all customers using ArcGIS Server (Linux) 10.2.2 and 10.3.1 apply this patch. Customers who are using 10.2 or 10.2.1 should first apply 10.2.2. Customers who are using 10.3 should first apply 10.3.1.

Description

Introduction

Esri® announces the ArcGIS for Server (Linux) Security 2016 Update 1 Patch. This patch addresses an XML External Entity (XXE) attack vulnerability that only exists on the Linux installation of ArcGIS for Server. Esri recommends that all customers using ArcGIS for Server (Linux) 10.2.2 and 10.3.1 apply this patch. The patch deals specifically with the issue listed below under Issues Addressed with this patch. While not required, Esri also recommends that all customers using ArcGIS for Server (Linux) 10.2.2 apply the ArcGIS for Server Security (January 2015) Patch.


Issues Addressed with this patch


  • BUG-000092906 - Map and Image services are vulnerable to a XML external entity injection (XXE).


Installing this patch on Linux


Installation Steps:


Complete the following install steps as the ArcGIS Install owner. The Install owner is the owner of the arcgis folder.

ArcGIS 10.2.2 or 10.3.1 for Server must be installed before installing this patch.

  1. Download the appropriate file to a location other than your ArcGIS installation location.


    ArcGIS 10.3.1   Checksum (Md5)
         
         ArcGIS for Server ArcGIS-1031-S-SEC2016U1-Patch-linux.tar 063025CA375B1BE5DBE498D6551DBC92
         
    ArcGIS 10.2.2   Checksum (Md5)
         
         ArcGIS for Server ArcGIS-1022-S-SEC2016U1-Patch-linux.tar 903A142ADCD41A88E41BE5F6EDEAD2F4
         

  2. Make sure you have write access to your ArcGIS installation location, and that no one is using ArcGIS.

  3. Extract the specified tar file by typing:

    % tar -xvf ArcGIS-<Version>-S-SEC2016U1-Patch-lx.tar

  4. Start the installation by typing:

    % ./applypatch

    This will start the dialog for the menu-driven installation procedure. Default selections are noted in parentheses ( ). To quit the installation procedure, type 'q' at any time.

Patch Updates

Check the Patches and Service Packs page periodically for the availability of additional patches. New information about this patch will be posted here.

How to identify which ArcGIS products are installed

To determine which ArcGIS products are installed, choose the appropriate version of the PatchFinder utility for your environment and run it from your local machine. PatchFinder will list all products, hot fixes, and patches installed on your local machine.

Getting Help

Domestic sites, please contact Esri Technical Support at 1-888-377-4575, if you have any difficulty installing this patch. International sites, please contact your local Esri software distributor.