English

ArcGIS for Server Security 2016 Update 2 Patch

Summary

This security patch addresses multiple security vulnerabilities found in ArcGIS for Server. Esri recommends that all customers using ArcGIS Server 10.2.2 and 10.3.1 apply this patch. Customers who are using 10.2 or 10.2.1 should first apply 10.2.2. Customers who are using 10.3 should first apply 10.3.1.

Description

Introduction

Esri® announces the ArcGIS for Server Security 2016 Update 2 Patch. Esri recommends that all customers using ArcGIS Server 10.2.2 and 10.3.1 apply this patch. This patch deals specifically with the issue listed below under Issues Addressed with this patch.

This security patch is cumulative and includes several non-security related fixes from an earlier patch that are also listed below under Issues Addressed with this Patch.

Important Note: After applying this patch WMTS services published in EPSG:4326 will not align correctly when consumed in ArcGIS Desktop and ArcGIS Engine. To resolve this issue apply appropriate patch (for ArcGIS Desktop and ArcGIS Engine) from the ArcGIS for (Desktop, Engine, Server) WMTS Tiles Misalignment Patch.

Important Note: After applying this patch only administrators can publish geoprocessing services and deploy service extensions (both server object extensions, SOEs, and server object interceptors, SOIs). For more information, including how to disable this setting, see Change geoprocessing service and service extension publishing privileges.


Issues Addressed with this patch


  • BUG-000095713 - Restrict geoprocessing service and extension publishing to administrators only.
  • BUG-000095712 - Restrict RMID ActivationSystem to ArcGIS Server processes only.
  • BUG-000095044 - SQL injection vulnerability that allows unauthorized modification of data.
  • BUG-000092447 - Tomcat vulnerability CVE-2014-0099 - Integer overflow attack.
  • BUG-000092445- Tomcat vulnerability CVE-2014-0230 - Denial-of-service attack via thread consumption.
  • BUG-000090845 - Restrict access to the Tomcat internal shutdown port.

To avoid conflicts the ArcGIS 10.3.1 for Server version also includes:
  • BUG-000095244 - Unjoin Join workflow loses line points.
  • BUG-000094671 - EstimateCacheTileSize/ ExportTiles jobs sporadically returns a blank page, which needs to refreshed several times to get jobstatus. Severe error messages are generated when user clicks on refresh.
  • BUG-000094082 - Window extents cause join links created by the trace-link tool to create line point links instead of parcel point links.
  • BUG-000093879 - Merge parcels changes original COGO dimensions when flex points are present.
  • BUG-000091959 - Some COGO properties of arcs are not being updated after using the Remainder tool.
  • BUG-000091775 - Forcing closure when creating a New Parcel recomputes the start point of the beginning course.
  • BUG-000091182 - Create parallel offset changes bearing values.
  • BUG-000092906 - Map and Image services are vulnerable to a XML external entity injection (XXE).
  • BUG-000090882 - Creating a new parcel on Win 8.1 OS and 10 OS causes ArcMap to crash when using the second join option or forcing closure.
  • BUG-000090534 - Packaging rasters in a catalog with an extent set does not properly clip.
  • BUG-000090429 - Reflected XSS vulnerability with generateToken requests occurs sporadically.
  • BUG-000090171 - PDF file attachments above a certain size in a feature service fail to display correctly in a browser.
  • BUG-000090045 - Optimize field checking on to improve performance of sync import and export.
  • BUG-000089636 - Parcel misclose ratio is not getting set properly on a perfect square parcel.
  • BUG-000089622 - Parcels that contain line strings with curves move out of place when adjacent parcels are unjoined.
  • BUG-000088948 - The Arc Length and Distance values are not updating correctly.
  • BUG-000088847 - Tiles from WMTS Services for some coordinate systems (or CSEC2016U2) do not align in ArcGIS Desktop and when served from ArcGIS Server.

    Important Note: After applying this patch WMTS services published in EPSG:4326 will not align correctly when consumed in ArcGIS Desktop and ArcGIS Engine. To resolve this issue apply appropriate patch (for ArcGIS Desktop and ArcGIS Engine) from the ArcGIS for (Desktop, Engine, Server) WMTS Tiles Misalignment Patch.

  • BUG-000088825 - Parcel remainder tool creates gaps and over laps between parcels.
  • BUG-000088454 - If a folder path contains letter 'u' after '\' ArcGIS for Server search service fails to register the folder with an error For Input String: "sage".
  • BUG-000088191 - The Parcel Fabric Name Parcel tool create gaps on parcels that have a flexed line point.
  • BUG-000088180- Line points are maintaining the original To, From and LinePoint ID values when using the Append GP tool.
  • BUG-000088145 - Survey dates on control points are being changed to null when creating a connection line in Parcel fabric.
  • BUG-000087817 - Bypass relationship processing if it is all records and optimize row copy on create replica.
  • BUG-000087751 - An 'out of memory' error occurs while running the Append Parcel Fabric geoprocessing tool on large parcel fabrics.
  • BUG-000087677 - Doing specific parcel fabric workflows through the Parcel explorer window causes control points to move to a different xy location when joined.
  • BUG-000087361- Using the Parcel Fabric Add Line Point tool deletes existing line points in the same area.
  • BUG-000086992 - The parcel fabric least squares adjustment report gives incorrect values for range and standard deviation.
  • BUG-000086939 - Line points should not be created on curves when using Parallel Offset.
  • BUG-000086412 - Queries against feature services layers that contain a many columns takes longer than queries against the same layers map service endpoint.
  • BUG-000086010 - Constructing a parcel on a parent that contains coincident line strings and has been adjusted creates gaps when built.
  • BUG-000085852 - Center points that have been merged are not honored once a parcel is opened and edits are kept.
  • BUG-000085354 - LinePoints not behaving correctly when working with different joining methods within a parcel fabric.
  • BUG-000082640 - When choosing a different location for installation of ArcGIS for Server 10.3 other than the default for the arcgisserver folder, the installation still creates the folder under c:\arcgisserver folder and a new location specified. Also, when the arcgisserver that was initially created is removed, the system automatically creates a new arcgisserver folder with a directories subfolder that is empty.

To avoid conflicts the ArcGIS 10.2.2 for Server version also includes:
  • BUG-000092906 - Map and Image services are vulnerable to a XML external entity injection (XXE).
  • BUG-000088847 - Tiles from WMTS Services for some coordinate systems (or CSEC2016U2) do not align in ArcGIS Desktop and when served from ArcGIS Server.

    Important Note: After applying this patch WMTS services published in EPSG:4326 will not align correctly when consumed in ArcGIS Desktop and ArcGIS Engine. To resolve this issue apply appropriate patch (for ArcGIS Desktop and ArcGIS Engine) from the ArcGIS for (Desktop, Engine, Server) WMTS Tiles Misalignment Patch.

  • BUG-000088244 - Optimize the deletion of objects from the geodatabases internal metadata.
  • BUG-000087118 - REST cache regenerates for each request when more than 100 services are accessed.
  • BUG-000086943 - The Verify, Repair and Rebuild Connectivity Tools need to identify and fix the max EID corruption problems.
  • BUG-000086566 - Recreating cache tiles for a cached service with preexisting cache fails randomly, at times leaving temporary files such as ".freelist, tmp.bundle, tmp.bundlx, tmp.freelist, compress.bundle, *.lock".
  • BUG-000086461 - Mosaic dataset not seen in full extent due to less number of overview levels.
  • BUG-000086412 - Queries against feature services layers that contain a many columns takes longer than queries against the same layers map service endpoint.
  • BUG-000086192 - Loading data into a Geometric network Feature Class using arcpy.Append_management in Python can result in corrupted network features.
  • BUG-000083258 - Add support for CORS in Map/Image Services Tile Handler.
  • BUG-000082869 - An incorrect KML network link is created when ArcGIS for Server machine name has 'services' in it.
  • BUG-000082777 - Data specific: When re-caching data using a certain area of interest the Status.gdb shows negative tile count.
  • BUG-000082665 - Disable SSLv3 on the internal tomcat to prevent "POODLE" vulnerability.
  • BUG-000082467 - ArcGIS for Server opens too many files and does not release the file handles when serving cached services.
  • BUG-000082423 - Under consistent load, the javaw.exe process at ArcGIS 10.2.2 for Server consumes 25% of the server's RAM, and any further request forces the process to use 100% of the machine's CPU.
  • BUG-000081679 - When publishing to a federated GIS Server that has a config store on a DFS share, item information does not get copied to the portal item.
  • BUG-000081401 - Multiple cross-site scripting (XSS) vulnerabilities in ArcGIS for Server.
  • BUG-000081239 - ArcGIS Server has an open redirect vulnerability.
  • BUG-000080898 - Reflected cross-site scripting security (XSS) vulnerability.
  • NIM103623 - After publishing services to a federated GIS Server, item information is sometimes missing from the Portal item that is created.
  • NIM103555 - Printing a map service with more layers including legends result in performance issues with ArcGIS for Server 10.2.2 print service.
  • NIM103130 - Some of the tiles fail to generate on demand when the requests are sent through REST connection in ArcGIS for Server 10.2.2.
  • NIM102939 - Multiple stored cross-site scripting (XSS) found.
  • NIM102197 - Unauthorized users can access tiles from a secured map service immediately after any authorized user accesses the service.
  • NIM099582 - ArcGIS Server performance drops when switching the identity store configuration from Active Directory to Active Directory with nested group support.
  • NIM098130 - ExportTiles fails for Japanese iOS client due to mangled Japanese characters in JSON responses.
  • NIM097651 - Public map services become private and require authentication after a brief disconnect of the config-store when the server is under load.
  • NIM087627 - Creation of Tile Package fails with an error "Invalid function arguments", when Server Tiling scheme is based on a custom projection.

Installing this patch on Windows


Installation Steps:


ArcGIS 10.2.2 or 10.3.1 for Server must be installed before installing this patch.

  1. Download the appropriate file to a location other than your ArcGIS installation location.

  2. ArcGIS 10.3.1   Checksum (Md5)
         
         ArcGIS for Server ArcGIS-1031-S-SEC2016U2-PatchB.msp 80437EB4DBBAF1AF1DC3C9BBB27C1BE1
         
    ArcGIS 10.2.2   Checksum (Md5)
         
         ArcGIS for Server ArcGIS-1022-S-SEC2016U2-Patch.msp CEE2F570D27C70AE81F81DE0C04AC019
         

  3. Make sure you have write access to your ArcGIS installation location.

  4. Double-click ArcGIS-<Version>-S-SEC2016U2-Patch.msp to start the setup process.

    NOTE: If double clicking on the MSP file does not start the setup installation, you can start the setup installation manually by using the following command:

    msiexec.exe /p [location of Patch]\ArcGIS-<Version>-S-SEC2016U2-Patch.msp


Installing this patch on Linux


Installation Steps:


Complete the following install steps as the ArcGIS Install owner. The Install owner is the owner of the arcgis folder.

ArcGIS 10.2.2 or 10.3.1 for Server must be installed before installing this patch.

  1. Download the appropriate file to a location other than your ArcGIS installation location.


    ArcGIS 10.3.1   Checksum (Md5)
         
         ArcGIS for Server ArcGIS-1031-S-SEC2016U2-PatchB-linux.tar A15AD34203D09CE2CEAFD908A74AABCF
         
    ArcGIS 10.2.2   Checksum (Md5)
         
         ArcGIS for Server ArcGIS-1022-S-SEC2016U2-Patch-linux.tar D77ED444A6368A3D62A4316EB89D4AFE
         

  2. Make sure you have write access to your ArcGIS installation location, and that no one is using ArcGIS.

  3. Extract the specified tar file by typing:

    % tar -xvf ArcGIS-<Version>-S-SEC2016U2-Patch-lx.tar

  4. Start the installation by typing:

    % ./applypatch

    This will start the dialog for the menu-driven installation procedure. Default selections are noted in parentheses ( ). To quit the installation procedure, type 'q' at any time.

Patch Updates

Check the Patches and Service Packs page periodically for the availability of additional patches. New information about this patch will be posted here.

June 13, 2016: Setups for 10.2.2 have been added to the patch page for download.

June 23, 2016: The 10.3.1 downloads have been updated to address an issue found when using ArcGIS Server Manager in non-English locales. This update is not related to the security issues addressed in the patch. You should only re-apply the patch if you use ArcGIS Server Manager in non-English locales.

How to identify which ArcGIS products are installed

To determine which ArcGIS products are installed, choose the appropriate version of the PatchFinder utility for your environment and run it from your local machine. PatchFinder will list all products, hot fixes, and patches installed on your local machine.

Getting Help

Domestic sites, please contact Esri Technical Support at 1-888-377-4575, if you have any difficulty installing this patch. International sites, please contact your local Esri software distributor.