ArcGIS 10.1 SP1 QIP, 10.2.1, and 10.2.2 for Server Security (August 2014) Patch

Date Published: 04-20-2015

Summary:

This patch has been made obsolete by the ArcGIS for Server Security (January 2015) Patch, which contains all fixes in this patch.

Description:

Important Note:


April 20, 2015: This patch has been made obsolete by the ArcGIS for Server Security (January 2015) Patch, which contains all fixes in this patch. Please go to the latest security patch page and install it. Due to an issue with the 10.1 SP1 QIP setup for Windows in the Server Security (August 2014) Patch,you must uninstall the 10.1 SP1 QIP patch version before installing the ArcGIS for Server Security (January 2015) Patch. Publishing to server fails if the Server Security (January 2015) Patch is installed on a machine where the Server Security (August 2014) Patch is installed. The setups for 10.2.1 and 10.2.2 on Windows and all setups on Linux were not affected.


Introduction


Esri® announces the ArcGIS 10.1 SP1 QIP, 10.2.1, and 10.2.2 for Server Security (August 2014) Patch. Esri recommends that all customers using ArcGIS for Server 10.1 and later apply this patch. This patch addresses several cross-site scripting vulnerabilities and an unauthorized access vulnerability. This patch deals specifically with the issues listed below under Issues Addressed with this Patch.


Issues Addressed with this patch


  • NIM102197 - Unauthorized access to some resources from secured services is possible in certain circumstances. This occurs in 10.2, 10.2.1, and 10.2.2.
  • NIM102939 - Multiple stored cross-site scripting (XSS) found in ArcGIS for Server. This occurs in ArcGIS for Server 10.1, 10.1 SP1, 10.2, 10.2.1, and 10.2.2.

Installing this patch on Windows


Installation Steps:


ArcGIS 10.1 SP1 QIP, 10.2.1, or 10.2.2 for Server must be installed before installing this patch.

  1. Download the appropriate file to a location other than your ArcGIS installation location.

  2.     Checksum (Md5)
    ArcGIS 10.1 SP1 QIP for Server ArcGIS-101SP1QIP-S-SEC-AUG1024-Patch.msp 1C13FC455392EABB65D6107D342C1EC6
         
    ArcGIS 10.2.1 for Server ArcGIS-1021-S-SEC-AUG1024-Patch.msp

    C8BA4BCAB598313A17A567D116E3E975

         
    ArcGIS 10.2.2 for Server ArcGIS-1022-S-SEC-AUG1024-Patch.msp 8369A24A38B25644D7F6B552A529EDF4

  3. Make sure you have write access to your ArcGIS installation location.

  4. Double-click ArcGIS-<Version>-S-SEC-AUG1024-Patch.msp to start the setup process.

    NOTE: If double clicking on the MSP file does not start the setup installation, you can start the setup installation manually by using the following command:

    msiexec.exe /p [location of Patch]\ArcGIS-<Version>-S-SEC-AUG1024-Patch.msp

Installing this patch on Linux


Installation Steps:


Complete the following install steps as the ArcGIS Install owner. The Install owner is the owner of the arcgis folder.

ArcGIS 10.1 SP1 QIP, 10.2.1, or 10.2.2 for Server must be installed before installing this patch.

  1. Download the appropriate file to a location other than your ArcGIS installation location.


        Checksum (Md5)
    ArcGIS 10.1 SP1 QIP for Server ArcGIS-101SP1QIP-S-SEC-AUG1024-Patch-lx.tar B43B6981E301F15BADBA3DD231F77B34
         
    ArcGIS 10.2.1 for Server ArcGIS-1021-S-SEC-AUG1024-PatchB-lx.tar 18C59D02D50BFDE1086E512FAC1AC885
         
    ArcGIS 10.2.2 for Server ArcGIS-1022-S-SEC-AUG1024-PatchB-lx.tar EF57C8A46548B3944064A6DCC17C34A5

  2. Make sure you have write access to your ArcGIS installation location, and that no one is using ArcGIS.

  3. Extract the specified tar file by typing:

    % tar -xvf ArcGIS-<Version>-S-SEC-AUG1024-Patch-lx.tar

  4. Start the installation by typing:

    % ./applypatch

    This will start the dialog for the menu-driven installation procedure. Default selections are noted in parentheses ( ). To quit the installation procedure, type 'q' at any time.

Patch Updates

Check the Patches and Service Packs page periodically for the availability of additional patches. New information about this patch will be posted here.

September 15, 2014: The 10.2.2 version of the patch has been added to the page.

November 12, 2014: The Linux setups for 10.2.2 and 10.2.1 have been updated to fix an issue reported in BUG-000082402 related to publishing. If you installed on Linux for 10.2.2 or 10.2.1 prior to November 12, please re-install to update the patch.

April 20, 2015: This patch has been made obsolete by the ArcGIS for Server Security (January 2015) Patch, which contains all fixes in this patch. Please go to the latest security patch page and install it. Due to an issue with the 10.1 SP1 QIP setup for Windows in the Server Security (August 2014) Patch,you must uninstall the 10.1 SP1 QIP patch version before installing the ArcGIS for Server Security (January 2015) Patch. Publishing to server fails if the Server Security (January 2015) Patch is installed on a machine where the Server Security (August 2014) Patch is installed. The setups for 10.2.1 and 10.2.2 on Windows and all setups on Linux were not affected.

How to identify which ArcGIS products are installed

To determine which ArcGIS products are installed, choose the appropriate version of the PatchFinder utility for your environment and run it from your local machine. PatchFinder will list all products, hot fixes, and patches installed on your local machine.

Getting Help

Domestic sites, please contact Esri Technical Support at 1-888-377-4575, if you have any difficulty installing this patch. International sites, please contact your local Esri software distributor.