Patches and updates

ArcGIS Server Security 2018 Update 1 Patch

Published: June 21, 2018

Zusammenfassung

Mit diesem Sicherheitspatch werden Sicherheitslücken wegen Stored Cross-Site Scripting in ArcGIS Server behoben. Esri empfiehlt allen Kunden, die ArcGIS Server 10.5.1, 10.4.1 und 10.3.1 verwenden, diesen Patch anzuwenden.



Beschreibung

Esri® kündigt den ArcGIS Server Security 2018 Update 1 Patch an. Esri empfiehlt allen Kunden, die ArcGIS Server 10.5.1, 10.4.1 und 10.3.1 verwenden, diesen Patch anzuwenden. Durch ihn wird das Problem behoben, das unter Mit diesem Patch behobene Probleme beschrieben ist.

Hinweis: Dieser kumulative Sicherheits-Patch enthält einige sicherheitsbezogene und nicht sicherheitsbezogene Problembehebungen aus früheren Patches, die auch unter "Mit diesem Patch behobene Probleme" beschrieben sind.

Wichtiger Hinweis, 16. August 2018: Die Version 10.5.1 dieses Patch wurde aktualisiert, um einen Regressionsfehler zu beheben, der sich auf die Visualisierung von Daten aus dem Big Data Store vom Typ "spatiotemporal" ausgewirkt hat. Benutzer sollten den aktualisierten Patch herunterladen und installieren, um dieses Problem zu beheben. Keiner der in der ursprünglichen Version des Patch enthaltenen Sicherheits-Bugfixes sind davon betroffen.



Mit diesem Patch behobene Probleme


  • BUG-000104739 - ArcGIS Server system tools are susceptible to cross-site scripting (XSS) attacks.
  • BUG-000115738 - After applying ArcGIS Server 10.5.1 Security 2018 Update 1 Patch, spatiotemporal point data from the ArcGIS Data Store cannot be displayed. (ArcGIS Server 10.5.1 Version only)
Um Konflikte zu vermeiden, werden mit Version 10.5.1 auch die folgenden Probleme behoben:
  • BUG-000113291 - There is an improper access control issue in ArcGIS Server.
  • BUG-000112254 - Donut polygons are represented with polygons instead of 'holes' in Web Feature Service (WFS) services in ArcGIS Server 10.5.1.
  • BUG-000112146 - WFS GetFeature request with a BBOX Filter and two layers does not work.
  • BUG-000112081 - Multi-column unique value renderer fails to start if the first column is a long int.
  • BUG-000112080 - Account for replica in data sender state when syncing with versioned data.
  • BUG-000112079 - Make the replicaServerGen parameter required in sycnhronizeReplica for syncModel perReplica.
  • BUG-000112077 - Should not filter uploaded or server generated input delta file at the end of a versioned sync.
  • BUG-000112075 - Add diff cursor logging and code to account for data inconsistencies during sync download.
  • BUG-000112060 - The feature service createReplica operation ignores the datum transformation set on the feature service in 10.5.1.
  • BUG-000111446 - WFS-T services can only be altered with a transaction with POST using WFS 2.0.0 syntax, even when forcing the version in the request to 1.1.0.
  • BUG-000110938 - EsriFieldTypeSingle behaves as an INT in WFS service published to ArcGIS Server 10.5.1.
  • BUG-000110480 - Updates to server directory locations are sometimes not be applied to all services.
  • BUG-000110388 - The ObjectID and GlobalID fields are not exposed in Web Feature Service (WFS) services in ArcGIS server 10.5.x.
  • BUG-000111075 - A feature service consumed in a GeoEvent Service fails to re-establish communication with the database once the database connection comes back after a communication failure.
  • BUG-000109803 - Unable to delete polygon and polyline features in a Spatiotemporal Big Data Store feature service created in ArcGIS GeoEvent Server.
  • BUG-000109738 - A Web Feature Service (WFS) displays a zero instead of a null value for the field attributes when queried through a browser.
  • BUG-000109686 - Disabling SSL in RabbitMQ causes instability issues for GeoEvent Server.
  • BUG-000109619 - WFS fails to yield data using DescribeFeatureType when accented characters (i.e. Á) are used in layer Names.
  • BUG-000109577 - Add support for NOT LIKE on queries with spatiotemporal based hosted feature services.
  • BUG-000109576 - Add support for upper and lower SQL functions on query with spatiotemporal based hosted feature services.
  • BUG-000109544 - ArcGIS GIS Server 10.5.1 Standard Overlay Layers analysis Tool fails with input line features that are results from the Join Features task of GeoAnalytics Tools of ArcGIS GeoAnalytics Server 10.5.1.
  • BUG-000109441 - The GetFeature service shows "Shape xsi:nil="true"" for a Web Feature Service (WFS) when the service has fields in the properties tab under "Table of Content" as invisible.
  • BUG-000108709 - Using the operator in the first layer of a query in a WFS:getFeature request causes an exception in the response.
  • BUG-000108365 - An XML POST request of a Web Feature Service (WFS) service is not accepted if PropertyName is used.
  • BUG-000108257 - The ArcGIS Enterprise Disaster Recovery and Replication workflow replaces the certificates in the standby environment with the certificates from the primary environment, which causes ArcGIS GeoEvent Server to fail to start.
  • BUG-000107477 - The GeoAnalytics Join Features tool fails on polygon to polygon joins with certain polygons.
  • BUG-000106367 - Failure to correctly use Oracle based feature services.
  • BUG-000106348 - Map and feature service published from the same geometric network returns different geometry when the query includes a transformation to a different coordinate system.
  • BUG-000106301 - Accessing secured map services through web-tier authentication with the ASP.NET identity store causes extended delays in response time on a regular basis.
  • BUG-000105936 - Set specific ports to use all machines for analysis in a GeoAnalytics Server behind a windows firewall.
  • BUG-000104306 - When viewing data published from a federated ArcGIS Server in a Portal for ArcGIS 10.5 web map, the federated ArcGIS Server logs report the following severe-level messages even though the data is viewable and editable on the map: "Failed to return the service configuration 'Service_name.MapServer'. Server machine 'https://MACHINE_NAME.DOMAIN.COM:7443/arcgis/sharing/rest/content/items/' returned an error. 'Internal Server Error'"
  • BUG-000103341 - PrintingTools services do not display shapefiles during printing or when creating Portal thumbnails when Z-values are included.
  • BUG-000102408 - WFS-T Inserts indicate success yet there's no point added.
  • BUG-000102081 - A Web Feature Service (WFS) provided by ArcGIS GIS Server requires a flag to toggle between using field names rather than field aliases. Otherwise, the WFS To Geodatabase tool fails to complete correctly if field aliases are used.
  • BUG-000099496 - In ArcGIS Server Manager, map services hang at the 'Starting' state when there are many requests generated while the service is starting.
  • NIM100766: Der Datumsfilter funktioniert nicht mit der "GetFeature"-Funktion des Web Feature Service (WFS).
Um Konflikte zu vermeiden, werden mit Version 10.4.1 auch die folgenden Probleme behoben:
  • BUG-000113291 - There is an improper access control issue in ArcGIS Server.
  • BUG-000111987 - The hotfix, QFE-1041-S-363090, results in the Operations Dashboard bar chart widget displaying "no data" when viewed in the IE browser (version 11).
  • BUG-000110882 - Uploading SOE to Server causes Spatiotemporal Big Data Store hosted map service created in ArcGIS GeoEvent Server inaccessible.
  • BUG-000107200 - Executing the find operation on a spatiotemporal big data store map service at REST intermittently returns the error, "none.get".
  • BUG-000105602 - Query for date fields fail with an error, "Database error has occurred" for a Spatiotemporal Big Data Store feature service.
  • BUG-000105458 - ArcGIS Server does not honor the 'domainControllerAddress' setting in the security configuration.
  • BUG-000102477 - When implementing a Server Object Interceptor (SOI) for a feature service, ServerUtilities.getServerUserInfo() returns empty values, but works as expected for a map service.
  • BUG-000099629 - Unable to upload files in ArcGIS Server Manager after updating the browser to Firefox 49 or Chrome 54.
  • BUG-000099496 - In ArcGIS Server Manager 10.4.1, map services hang at the 'Starting' state when there are many requests generated while the service is starting.
  • BUG-000099099 - Updating the sharing option of a map service of a federated ArcGIS Server to 'Everyone' from the ArcGIS Server Manager adds two map image layers to Portal for ArcGIS > My Content as items, if the map image layer has been moved to a subfolder in the Portal for ArcGIS My Content page.
  • BUG-000099098 - When a map image layer is moved to another folder in My Content on a federated portal, the sharing properties of the ArcGIS Server service is changed from Everyone to Private in ArcGIS Server Manager.
  • BUG-000098119 - ArcGIS Server exposes internal information.
  • BUG-000095194 - Feature service REST response periodically does not return full editing capabilities.
  • BUG-000094193 - When a server object interceptor (SOI) is enabled on an ArcGIS Server feature service with the Sync capability, the Create Replica operation fails, which renders the feature service unusable for offline editing.
  • BUG-000093500 - After login, user is redirected to the Services Directory home page instead of URL from which login was attempted.
  • NIM089714 - When running two Server Object Extensions (SOEs) on the same server with the same property name, the value of the second SOE property is ignored.
Um Konflikte zu vermeiden, werden mit Version 10.3.1 auch die folgenden Probleme behoben:
  • BUG-000113291 - There is an improper access control issue in ArcGIS Server.
  • BUG-000103341 - PrintingTools service does not display shape files during printing or when creating Portal thumbnails when Z-values are included.
  • BUG-000100330 - Enhance ArcGIS Server Manager security against clickjacking attempts.
  • BUG-000099629 - Unable to upload files in ArcGIS Server Manager after updating the browser to Firefox 49 or Chrome 54.
  • BUG-000098489 - The MapServer export operation ignores definition queries when they are malformed. The operation must throw an error instead.
  • BUG-000098312 - Printing service fails to print AGOL/Portal item that secured with limited access and credentials are embedded within that.
  • BUG-000098119 - ArcGIS Server exposes internal information.
  • BUG-000095713 - Restrict GP service and extension publishing to administrators only.
  • BUG-000095712 - Restrict RMID ActivationSystem to ArcSOC only.
  • BUG-000095244 - Unjoin Join workflow loses line points.
  • BUG-000095194 - Feature service REST response periodically does not return full editing capabilities.
  • BUG-000095044 - SQL injection vulnerability that allows unauthorized modification of data.
  • BUG-000094671 - EstimateCacheTileSize/ ExportTiles jobs sporadically returns a blank page, which needs to refreshed several times to get jobstatus. Severe error messages are generated when user clicks on refresh.
  • BUG-000094606 - ArcGIS Server Manager does not open if the fully qualified machine name ends in '.proxy'.
  • BUG-000094489 - Overwriting a hosted feature service in Portal for ArcGIS fails if using a feature class that is part of a feature dataset that also contains a geometric network.
  • BUG-000094082 - Window extents cause join links created by the trace-link tool to create line point links instead of parcel point links.
  • BUG-000094193 - When a server object interceptor (SOI) is enabled on an ArcGIS Server feature service with the Sync capability, the Create Replica operation fails, which renders the feature service unusable for offline editing.
  • BUG-000093884 - SOAP responses from map services do not comply with map server WSDL definition.
  • BUG-000093879 - Merge parcels changes original COGO dimensions when flex points are present.
  • BUG-000093500 - After login, user is redirected to the Services Directory home page instead of URL from which login was attempted.
  • BUG-000092906 - Map and Image services are vulnerable to a XML external entity injection (XXE).
  • BUG-000092447 - Tomcat vulnerability CVE-2014-0099 - Integer overflow attack.
  • BUG-000092445 - Tomcat vulnerability CVE-2014-0230 - Denial-of-service attack via thread consumption.
  • BUG-000091959 - Some COGO properties of arcs are not being updated after using the Remainder tool.
  • BUG-000091775 - Forcing closure when creating a New Parcel recomputes the start point of the beginning course.
  • BUG-000091182 - Create parallel offset changes bearing values.
  • BUG-000091147 - When Collector for Android 10.3.3 is working with a feature service, which has a non-nullable field with a coded attribute domain, if a value is not provided by the user, the application sends a space as an edit. This causes invalid data against the goals of the user's schema, and the application passing a space bypasses the goals of the end user to force a true value for this field.
  • BUG-000091033 - In ArcGIS Runtime Java GPK, certain functions, when packaging geoprocessing tools, which are critical to client operations, are not available.
  • BUG-000090882 - Creating a new parcel on Win 8.1 OS and 10 OS causes ArcMap to crash when using the second join option or forcing closure.
  • BUG-000090845 - Restrict access to the Tomcat internal shutdown port.
  • BUG-000090534 - Packaging rasters in a catalog with an extent set does not properly clip.
  • BUG-000090429 - Reflected XSS vulnerability with generateToken requests occurs sporadically.
  • BUG-000090045 - Optimize field checking on to improve performance of sync import and export.
  • BUG-000090171 - PDF file attachments above a certain size in a feature service fail to display correctly in a browser.
  • BUG-000089636 - Parcel misclose ratio is not getting set properly on a perfect square parcel.
  • BUG-000089622 - Parcels that contain line strings with curves move out of place when adjacent parcels are unjoined.
  • BUG-000088948 - The Arc Length and Distance values are not updating correctly.
  • BUG-000088847 - Tiles from WMTS Services for some coordinate systems (or CRS) do not align in ArcGIS Desktop and when served from ArcGIS Server.
  • BUG-000088825 - Parcel remainder tool creates gaps and over laps between parcels.
  • BUG-000088454 - If a folder path contains letter 'u' after '\' ArcGIS Server search service fails to register the folder with an error For Input String: "sage".
  • BUG-000088191 - The Parcel Fabric Name Parcel tool create gaps on parcels that have a flexed line point.
  • BUG-000088180- Line points are maintaining the original To, From and LinePoint ID values when using the Append GP tool.
  • BUG-000088145 - Survey dates on control points are being changed to null when creating a connection line in Parcel fabric.
  • BUG-000087817 - Bypass relationship processing if it is all records and optimize row copy on create replica.
  • BUG-000087751 - An 'out of memory' error occurs while running the Append Parcel Fabric geoprocessing tool on large parcel fabrics.
  • BUG-000087677 - Doing specific parcel fabric workflows through the Parcel explorer window causes control points to move to a different xy location when joined.
  • BUG-000087361- Using the Parcel Fabric Add Line Point tool deletes existing line points in the same area.
  • BUG-000086992 - The parcel fabric least squares adjustment report gives incorrect values for range and standard deviation.
  • BUG-000086939 - Line points should not be created on curves when using Parallel Offset.
  • BUG-000086412 - Queries against feature services layers that contain a many columns takes longer than queries against the same layers map service endpoint.
  • BUG-000086010 - Constructing a parcel on a parent that contains coincident line strings and has been adjusted creates gaps when built.
  • BUG-000085852 - Center points that have been merged are not honored once a parcel is opened and edits are kept.
  • BUG-000085354 - LinePoints not behaving correctly when working with different joining methods within a parcel fabric.
  • BUG-000083610 - Printing an external secure service with limit usage referrers fails in an ArcGIS Online web application.
  • BUG-000082640 - When choosing a different location for installation of ArcGIS Server 10.3 other than the default for the arcgisserver folder, the installation still creates the folder under c:\arcgisserver folder and a new location specified. Also, when the arcgisserver that was initially created is removed, the system automatically creates a new arcgisserver folder with a directories subfolder that is empty.
  • BUG-000082267 - Improve tab order, button labels, refresh behaviour, and navigation of ArcGIS Server Manager.

Installieren dieses Patch unter Windows


Installationsschritte:


Vor der Installation dieses Patch muss ArcGIS Server installiert werden.

  1. Laden Sie die entsprechende Datei an einen anderen Speicherort als den ArcGIS-Installationsspeicherort herunter.

  2. ArcGIS 10.5.1   Prüfsumme (Md5)
         
    ArcGIS Server ArcGIS-1051-S-SEC2018U1-PatchB.msp 547B062C5EC97DEEF772EB5029AEFC79
         
    ArcGIS 10.4.1   Prüfsumme (Md5)
         
    ArcGIS Server ArcGIS-1041-S-SEC2018U1-Patch.msp 6E4908AA95192AB5BDAEF7114043CA82
         
    ArcGIS 10.3.1   Prüfsumme (Md5)
         
    ArcGIS Server ArcGIS-1031-S-SEC2018U1-Patch.msp 978C1577AFA12B6CA5908E3B11B92446
         

  3. Stellen Sie sicher, dass Sie Schreibzugriff auf das ArcGIS-Installationsverzeichnis besitzen.

  4. Doppelklicken Sie auf "ArcGIS--S-SEC2018U1-Patch.msp", um das Setup zu starten.

    HINWEIS: Wird durch Doppelklicken auf die MSP-Datei die Setup-Installation nicht gestartet, können Sie die Setup-Installation mit dem folgenden Befehl manuell starten:

    msiexec.exe /p [Speicherort des Patches]\ArcGIS--S-SEC2018U1-Patch.msp


Installieren dieses Patch unter Linux


Installationsschritte:


Führen Sie die folgenden Installationsschritte als Besitzer der ArcGIS-Installation aus. Der Besitzer der Installation ist der Besitzer des ArcGIS-Ordners.

Vor der Installation dieses Patch muss ArcGIS Server installiert werden.

  1. Laden Sie die entsprechende Datei an einen anderen Speicherort als den ArcGIS-Installationsspeicherort herunter.


    ArcGIS 10.5.1   Prüfsumme (Md5)
         
    ArcGIS Server ArcGIS-1051-S-SEC2018U1-PatchB-linux.tar 8758D9E589EDF025747E9885CC233953
         
    ArcGIS 10.4.1   Prüfsumme (Md5)
         
    ArcGIS Server ArcGIS-1041-S-SEC2018U1-Patch-linux.tar 0B180A6A0EAD1BEE645744F24873A7B6
         
    ArcGIS 10.3.1   Prüfsumme (Md5)
         
    ArcGIS Server ArcGIS-1031-S-SEC2018U1-Patch-linux.tar 6121519562CEB00063343E7C207476D5
         
         

  2. Stellen Sie sicher, dass Sie Schreibzugriff für das ArcGIS-Installationsverzeichnis haben und ArcGIS durch keinen anderen Benutzer verwendet wird.

  3. Extrahieren Sie die jeweilige TAR-Datei durch Eingabe des folgenden Befehls:

    % tar -xvf ArcGIS--S-SEC2018U1-Patch-linux.tar

  4. Starten Sie die Installation durch die Eingabe des folgenden Befehls:

    % ./applypatch

    Es erscheint ein Dialogfeld für die menügesteuerte Installation. Die Standardauswahloptionen sind in Klammern ( ) angegeben. Die Installation kann jederzeit durch die Eingabe von "q" abgebrochen werden.

Deinstallieren dieses Patch unter Windows


  • Um diesen Patch unter Windows zu deinstallieren, öffnen Sie die Windows-Systemsteuerung und navigieren Sie zu "Programme und Funktionen". Stellen Sie sicher, dass "Installierte Updates anzeigen" (links oben im Dialogfeld "Programme und Funktionen") aktiv ist. Wählen Sie den Patch-Namen in der Liste der Programme aus und klicken Sie auf "Deinstallieren", um den Patch zu entfernen.

Deinstallieren dieses Patch unter Linux


  • Dieser Patch kann nur bei Version 10.5.1 deinstalliert werden. Um diesen Patch zu entfernen, navigieren Sie zum Verzeichnis /tmp und führen das folgende Skript als Besitzer der ArcGIS-Installation aus:

    ./patchremove

    Hinweise: Sie können nur den zuletzt installierten Patch entfernen.
  • Starten Sie Ihre ArcGIS-Server-Services neu

Patch-Aktualisierungen

Prüfen Sie auf der Seite Patches und Service Packs regelmäßig, ob zusätzliche Patches zur Verfügung stehen. Neue Informationen zu diesem Patch werden hier veröffentlicht.

20. Juli 2018: Die Version 10.3.1 des ArcGIS Server Security 2018 Update 1 Patch steht nun zum Download zur Verfügung.

1. August 2018: Für Benutzer der Version 10.5.1 mit raumzeitlichen Punktdaten wurde eine Regression identifiziert, die sich auf die Darstellung der Daten auswirkt. Dies hat keine Auswirkungen auf die Speicherung oder Verfügbarkeit der raumzeitlichen Daten. An der Behebung dieses Fehlers wird aktiv gearbeitet. Sobald ein aktualisierter Patch verfügbar ist, wird dieser veröffentlicht. Diese Regression beeinträchtigt nicht die in diesem Patch enthaltenen Sicherheits-Bugfixes.

16. August 2018: Die Version 10.5.1 dieses Patch wurde aktualisiert, um einen Regressionsfehler zu beheben, der sich auf die Visualisierung von Daten aus dem Big Data Store vom Typ "spatiotemporal" ausgewirkt hat. Benutzer sollten den aktualisierten Patch herunterladen und installieren, um dieses Problem zu beheben. Keiner der in der ursprünglichen Version des Patch enthaltenen Sicherheits-Bugfixes sind davon betroffen.

Ermittlung der installierten ArcGIS-Produkte

Um zu ermitteln, welche ArcGIS-Produkte auf dem Rechner installiert sind, wählen Sie die entsprechende Version des Dienstprogramms PatchFinder für Ihre Umgebung, und führen Sie sie auf dem lokalen Computer aus. PatchFinder listet alle installierten Produkte, Hotfixes und Patches auf dem lokalen Computer auf.

Anfordern von Unterstützung

US-Kunden wenden sich bitte an den technischen Support von Esri unter +1 888 377 4575, falls Probleme beim Installieren des Patch auftreten. Kunden außerhalb der USA wenden sich bitte an den jeweiligen Esri Softwaredistributor vor Ort.



Download ID:7625

Get help from ArcGIS experts

Contact technical support

Download the Esri Support App

Go to download options