Skip to Content

Patches and updates

ArcGIS 10.1 SP1 for Server Security Patch

Published: November 15, 2012

Summary

This patch address two security vulnerabilities in ArcGIS Server that expose internal information via map and feature service queries. It is recommended that all ArcGIS Server customers using enterprise geodatabases or query layers with ArcGIS Server apply this patch immediately.

Description

EsriĀ® announces the ArcGIS 10.1 SP1 for Server Security Patch. This patch address two security vulnerabilities in ArcGIS Server that expose internal information via map and feature service queries. ArcGIS Server map and feature services typically allow queries using a where clause against layers in a map. When certain values are provided via the where clause, it is possible to obtain internal information from the relational database including the name of the table owner, the name of the machine where the database resides, and information stored in database system tables that the database account has access to. It deals specifically with the issues listed below under Issues Addressed with this Patch.

 

Issues Addressed with this Patch

  • NIM085361 - ArcGIS Server reveals fully qualified table names for layers within a feature service.

    Description: This defect causes the fully qualified table name of a feature class to be returned in error messages. Fully-qualified table names often include the name of the table owner and the name of the machine.
  • NIM084249 - Union Select and Union All SQL statements can be inserted into the where statement of an ArcGIS Server query.

    Description: This is a SQL injection defect that allows the insertion of a UNION ALL or a UNION SELECT into a where clause that allows the appending of data from other tables into the result. This can result information from database system tables being revealed.

 

Files Installed in this Patch

Under the Windows <ArcGIS Product Installation Directory>\bin folder:
  • CartoXLib.dll
    FeatureServer.dll
    GdbCore.dll
Under the Linux <ArcGIS Product Installation Directory>/bin folder:
  • CartoXLib.dll
    FeatureServer.dll
    GdbCore.dll

Installing this Patch on Windows

Installation Notes:

System Administrators: A technical paper is available that discusses the enterprise deployment of ArcGIS 10.1 setups using Microsoft Systems Management Server (SMS), System Center Configuration Manager (SCCM), and Group Policy, including additional system requirements, suggestions, known issues, and Microsoft Software Installation (MSI) command line parameters. Deployment in a lockdown environment is also covered. ArcGIS 10.1 Enterprise Deployment.

Installation Steps:

ArcGIS 10.1 Service Pack 1 for Server must be installed before you can install this patch.

  1. Download the appropriate file to a location other than your ArcGIS installation location.

        Checksum
    ArcGIS for Server ArcGIS-101SP1-S-Security-Patch.msp 71F74A8B64F2206E2EDA6D00B81105B0

  2. Make sure you have write access to your ArcGIS installation location.
  3. ArcGIS for Server only: Open the Services Management Console> Control Panel > Administrative Tools > Services. Stop the ArcGIS Server service.
  4. Double-click ArcGIS-101SP1-S-Security-Patch.msp to start the install process.

    NOTE: If double clicking on the MSP file does not start the Patch installation, you can start the Patch installation manually by using the following command:

    msiexec.exe /p [location of Patch]\ArcGIS-101SP1-S-Security-Patch.msp
  5. ArcGIS for Server only: Open the Services Management Console> Control Panel > Administrative Tools > Services. Start the ArcGIS Server service.

 

Installing this Patch on Linux

Complete the following install steps as the ArcGIS Install owner. The Install owner is the owner of the arcgis folder.

ArcGIS 10.1 Service Pack 1 for Server must be installed before you can install this patch.

  1. Download the appropriate file to a location other than your ArcGIS installation location.


        Checksum
    ArcGIS for Server ArcGIS-101SP1-S-Security-Patch-lx.tar F352DA9BDFA4F99CD8E7741C6C4C1F6A

  2. Make sure you have write access to your ArcGIS installation location, and that no one is using ArcGIS.
  3. ArcGIS for Server only: stop the ArcGIS server service by typing:

    % <ArcGIS Server installation directory>/arcgis/server/stopserver.sh
  4. Extract the specified tar file by typing:

    % tar -xvf ArcGIS-101SP1-S-Security-Patch-lx.tar
  5. Start the installation by typing:

    % ./applypatch

    This will start the dialog for the menu-driven installation procedure. Default selections are noted in parentheses ( ). To quit the installation procedure, type 'q' at any time.
  6. ArcGIS for Server only: start the ArcGIS Server service by typing:

    % <ArcGIS Server installation directory>/arcgis/server/startserver.sh

Patch Updates

Check the Patches and Service Packs page periodically for the availability of additional patches. New information about this Patch will be posted here.

November 26, 2012: Checksum values were updated.

How to identify which Patch is installed

To determine which ArcGIS products are installed, Choose the appropriate version of the PatchFinder utility for your environment and run it from your local machine.

  • PatchFinder for Windows
  • PatchFinder for Linux/Solaris

Getting Help

Domestic sites, please contact Esri Technical Support at 1-888-377-4575, if you have any difficulty installing this Patch. International sites, please contact your local Esri software distributor.



Download ID:1930

Get help from ArcGIS experts

Contact technical support

Download the Esri Support App

Go to download options