ArcGIS Server Security 2019 Update 2 Patch

• BUG-000125044: Hosted feature service has a stored cross-site scripting (XSS) vulnerability. (Nur 10.7.1 und 10.6.1)
  CVSS 3.0 Base Score: 4.6 – CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
• BUG-000123103: ArcGIS Server improperly handles an incorrect CORS origin.
  CVSS 3.0 Base Score: 4.2 – CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
• BUG-000124991: ArcGIS Server fails to fully import root or intermediate certificates. (Nur 10.7.1)

Um Konflikte zu vermeiden, werden mit Version 10.7.1 auch die folgenden Probleme behoben:

• BUG-000122285: Scalability of 3D Scene Service is impeded by frequent reads/writes to the config store and directories.

Um Konflikte zu vermeiden, werden mit Version 10.6.1 auch die folgenden Probleme behoben:

• BUG-000119801: Sample fails when more than one mosaic datasets are input as input rasters.
• BUG-000119759: Improve the quality and performance of the Sample tool.
• BUG-000119534: Path Allocation produces incorrect results when the source characteristics are specified.
• BUG-000119493: Sink tool creates two unique values for sink regions that are diagonally connected. This is incorrect as diagonally connected sinks should be identified with a single unique value.
• BUG-000119425: The SummarizeRasterWithin and ConvertRasterToFeature tasks in ArcGIS Image Server crashes when trying to directly read an input image service collocated on a cloud raster store.
• BUG-000119424: Zonal Geometry as Table and Zonal Geometry tools generate incorrect results when a field other than value was used. In this case, the logic for calculating zonal geometry properties is not correct, and the software may crash.
• BUG-000119423: Watershed tool hangs when processing extent is set to a single cell catchment.
• BUG-000119422: Flow distance tool in modelbuilder does not display 'FlowDistanceType' parameter.
• BUG-000119421: Flow Distance tool produces NoData for majority of cells when input surface raster is not hydro conditioned.
• BUG-000119419: Euclidean Direction using high resolution data produces incorrect output.
• BUG-000119323: RasterToPolygon with "Create multipart features" enabled, locks the output for editing.
• BUG-000118421: If there are non-English characters in a connection string, the Copy Raster tool will return this error when importing a raster in an enterprise geodatabase, "ERROR 999999: Error executing function. No raster store is configured. Not running inside a server process. Failed to execute (CopyRaster).''
• BUG-000117633: In 10.6.1 and prior, the message bus platform service may not be initialized correctly in all environments.
• BUG-000117372: Cross-site scripting (XSS) in Server Admin api.
• BUG-000116972: Collector for ArcGIS (iOS) fails to submit photo attachments to hosted feature layers in ArcGIS Enterprise 10.6.1.
• BUG-000116589: Cost Path and Cost Path as Polyline with flow direction input for backlink raster is slow.
• BUG-000116047: Cost Path produces incorrect output when Flow Direction raster is used as input for distance and backlink raster.
• BUG-000115799: Vector Tile Layers hosted in ArcGIS Enterprise 10.6.1 do not overzoom successfully when viewed in the Map Viewer.
• BUG-000113368: Euclidean allocation, distance and direction tools are much slower in current version verses previous version of ArcMap.
• BUG-000111075: A feature service consumed in a GeoEvent Service fails to re-establish communication with the database once the database connection comes back after a communication failure.
• BUG-000111075: Service recycling after a DB connection failure does not happen for Feature Server.
• BUG-000098315: Sample return Null data, when input raster is Mosaic.
• BUG-000096996: ExtractMultiValuestoPoints, ExtractValuestoPoints returns error when the input points feature is a XY Event Layer.

Um Konflikte zu vermeiden, werden mit Version 10.5.1 auch die folgenden Probleme behoben:

• BUG-000120805: ArcGIS Server has an access control issue.
• BUG-000119921: The GetFeature request to WFS version 1.0.0 shows a comma instead of a space between coordinate pair in gml:boundedby tag.
• BUG-000117983: Access control issue in the ArcGIS Server tile handler.
• BUG-000117372: Cross-site scripting (XSS) in Server Admin api.
• BUG-000117350: Recycling sco process takes longer than checkConnectionInterval time in case of stale database connections.
• BUG-000117026: Unable to consume Web Map Services (WMS) published from an ArcGIS Server 10.5.1 with Security 2018 Update 1 Patch B installed, in ArcMap, if any of the layer names contains special characters.
• BUG-000116172: When stopping the ArcGIS Server Windows Service on a machine with more than 256 GB of RAM and hundreds of services, the ArcSOC.exe processes takes a long time to completely shut down.
• BUG-000115772: When utilizing the GetFeature URL query on a Web Map Service (WFS) containing more than 300,000 features, the query fails after trying to run indefinitely.
• BUG-000115738: After applying ArcGIS Server 10.5.1 Security 2018 Update 1 Patch, spatiotemporal point data from the ArcGIS Data Store cannot be displayed.
• BUG-000113853: Web Feature Service (WFS) filter "within" does not return any objects when used.
• BUG-000113847: SynchronizeReplica output delta to JSON: inserted attachment fails to export.
• BUG-000113846: Sync: JSON synchronizeReplica response lists serverGen twice.
• BUG-000113845: CreateReplica to JSON format returnAttachmentsDataByUrl=true does not return attachments by URL.
• BUG-000113291: There is a broken access control vulnerability in ArcGIS Server.
• BUG-000112254: Donut polygons are represented with polygons instead of 'holes' in Web Feature Service (WFS) services in ArcGIS Server 10.5.1.
• BUG-000112146: WFS GetFeature request with a BBOX Filter and two layers does not work.
• BUG-000112081: Multi-column unique value renderer fails to start if the first column is a long int.
• BUG-000112080: Account for replica in data sender state when syncing with versioned data.
• BUG-000112079: Make the replicaServerGen parameter required in sycnhronizeReplica for syncModel perReplica.
• BUG-000112077: Should not filter uploaded or server generated input delta file at the end of a versioned sync.
• BUG-000112075: Add diff cursor logging and code to account for data inconsistencies during sync download.
• BUG-000112060: The feature service createReplica operation ignores the datum transformation set on the feature service in 10.5.1.
• BUG-000111738: An invalid geometry is not detected when using ST_GEOMETRY (or any other ST Function) to create a polygon from a well-known text (WKT) that contains some invalid and valid polygons. "ST_ASTEXT" gibt auch bei diesem Polygon "EMPTY" zurück.
• BUG-000111446: WFS-T services can only be altered with a transaction with POST using WFS 2.0.0 syntax, even when forcing the version in the request to 1.1.0.
• BUG-000111075: A feature service consumed in a GeoEvent Service fails to re-establish communication with the database once the database connection comes back after a communication failure.
• BUG-000110938: EsriFieldTypeSingle behaves as an INT in WFS service published to ArcGIS Server 10.5.1.
• BUG-000110801: Syncing with dataFormat = json returns the error "Failed to serialize delta gdb to JSON."
• BUG-000110480: Updates to server directory locations are sometimes not be applied to all services.
• BUG-000110388: The ObjectID and GlobalID fields are not exposed in Web Feature Service (WFS) services in ArcGIS server 10.5.x.
• BUG-000109803: Unable to delete polygon and polyline features in a Spatiotemporal Big Data Store feature service created in ArcGIS GeoEvent Server.
• BUG-000109738: A Web Feature Service (WFS) displays a zero instead of a null value for the field attributes when queried through a browser.
• BUG-000109686: Disabling SSL in RabbitMQ causes instability issues for GeoEvent Server.
• BUG-000109619: WFS fails to yield data using DescribeFeatureType when accented characters (i.e. A) are used in layer Names.
• BUG-000109577: Add support for NOT LIKE on queries with spatiotemporal based hosted feature services.
• BUG-000109576: Add support for upper and lower SQL functions on query with spatiotemporal based hosted feature services.
• BUG-000109544: ArcGIS GIS Server 10.5.1 Standard Overlay Layers analysis Tool fails with input line features that are results from the Join Features task of GeoAnalytics Tools of ArcGIS GeoAnalytics Server 10.5.1.
• BUG-000109441: The GetFeature service shows "Shape xsi:nil="true"" for a Web Feature Service (WFS) when the service has fields in the properties tab under "Table of Content" as invisible.
• BUG-000109142: GetFeature Request to Web Feature Service shows a comma instead of a space between coordinate pair in gml:boundedby tag only when defining the WFS version as 1.0.0.
• BUG-000108709: Using the operator in the first layer of a query in a WFS:getFeature request causes an exception in the response.
• BUG-000108365: An XML POST request of a Web Feature Service (WFS) service is not accepted if PropertyName is used.
• BUG-000108257: The ArcGIS Enterprise Disaster Recovery and Replication workflow replaces the certificates in the standby environment with the certificates from the primary environment, which causes ArcGIS GeoEvent Server to fail to start.
• BUG-000107477: The GeoAnalytics Join Features tool fails on polygon to polygon joins with certain polygons.
• BUG-000106500: A feature class with hidden fields published to ArcGIS Server 10.5 as a Web Feature Service (WFS) shows incorrect values for the fields in the attribute table when added to ArcMap with a WFS server connection.
• BUG-000106367: Failure to correctly use Oracle based feature services
• BUG-000106348: Map and feature service published from the same geometric network returns different geometry when the query includes a transformation to a different coordinate system.
• BUG-000106301: Accessing secured map services through web-tier authentication with the ASP.NET identity store causes extended delays in response time on a regular basis.
• BUG-000105936: Set specific ports to use all machines for analysis in a GeoAnalytics Server behind a windows firewall.
• BUG-000104739: ArcGIS Server system tools are susceptible to cross-site scripting (XSS) attacks.
• BUG-000104306: When viewing data published from a federated ArcGIS Server in a Portal for ArcGIS 10.5 web map, the federated ArcGIS Server logs report the following severe-level messages even though the data is viewable and editable on the map: "Failed to return the service configuration 'Service_name.MapServer'. Server machine 'https://MACHINE_NAME.DOMAIN.COM:7443/arcgis/sharing/rest/content/items/' returned an error. 'Internal Server Error'"
• BUG-000103341: PrintingTools services do not display shapefiles during printing or when creating Portal thumbnails when Z-values are included.
• BUG-000102408: WFS-T Inserts indicate success yet there's no point added.
• BUG-000102081: A Web Feature Service (WFS) provided by ArcGIS GIS Server requires a flag to toggle between using field names rather than field aliases. Otherwise, the WFS To Geodatabase tool fails to complete correctly if field aliases are used.
• BUG-000099496: In ArcGIS Server Manager, map services hang at the 'Starting' state when there are many requests generated while the service is starting.
• ENH-000117371: Add an option to enforce encrypted communication between ArcGIS Server and Active Directory.
• NIM100766: Der Datumsfilter funktioniert nicht mit der "GetFeature"-Funktion des Web Feature Service (WFS).

Um Konflikte zu vermeiden, werden mit Version 10.4.1 auch die folgenden Probleme behoben:

• BUG-000120805: ArcGIS Server has an access control issue.
• BUG-000117983: Access control issue in the ArcGIS Server tile handler.
• BUG-000117372: Cross-site scripting (XSS) in Server Admin api.
• BUG-000113291: There is an improper access control issue in ArcGIS Server.
• BUG-000111987: The hotfix, QFE-1041-S-363090, results in the Operations Dashboard bar chart widget displaying "no data" when viewed in the IE browser (version 11).
• BUG-000110882: Uploading SOE to Server causes Spatiotemporal Big Data Store hosted map service created in ArcGIS GeoEvent Server inaccessible.
• BUG-000107200: Executing the find operation on a spatiotemporal big data store map service at REST intermittently returns the error, "none.get".
• BUG-000105602: Query for date fields fail with an error, "Database error has occurred" for a Spatiotemporal Big Data Store feature service.
• BUG-000105458: ArcGIS Server does not honor the 'domainControllerAddress' setting in the security configuration.
• BUG-000104739: ArcGIS Server system tools are susceptible to cross-site scripting (XSS) attacks.
• BUG-000102477: When implementing a Server Object Interceptor (SOI) for a feature service, ServerUtilities.getServerUserInfo() returns empty values, but works as expected for a map service.
• BUG-000099629: Unable to upload files in ArcGIS Server Manager after updating the browser to Firefox 49 or Chrome 54.
• BUG-000099496: In ArcGIS Server Manager 10.4.1, map services hang at the 'Starting' state when there are many requests generated while the service is starting.
• BUG-000099099: Updating the sharing option of a map service of a federated ArcGIS Server to 'Everyone' from the ArcGIS Server Manager adds two map image layers to Portal for ArcGIS > My Content as items, if the map image layer has been moved to a subfolder in the Portal for ArcGIS My Content page.
• BUG-000099098: When a map image layer is moved to another folder in My Content on a federated portal, the sharing properties of the ArcGIS Server service is changed from Everyone to Private in ArcGIS Server Manager.
• BUG-000098119: ArcGIS Server exposes internal information.
• BUG-000095194: Feature service REST response periodically does not return full editing capabilities.
• BUG-000094193: When a server object interceptor (SOI) is enabled on an ArcGIS Server feature service with the Sync capability, the Create Replica operation fails, which renders the feature service unusable for offline editing.
• BUG-000093500: After login, user is redirected to the Services Directory home page instead of URL from which login was attempted.
• ENH-000117371: Add an option to enforce encrypted communication between ArcGIS Server and Active Directory.
• NIM089714: When running two Server Object Extensions (SOEs) on the same server with the same property name, the value of the second SOE property is ignored.

Vor der Installation dieses Patch muss ArcGIS Server installiert werden.

1. Laden Sie die entsprechende Datei an einen anderen Speicherort als den ArcGIS-Installationsspeicherort herunter.
   
   

2. ArcGIS 10.7.1		Prüfsumme (Md5)
   ArcGIS Server	ArcGIS-1071-S-SEC2019U2-Patch.msp	82F32B112551BE08C058E7EED0286302
   ArcGIS 10.6.1		Prüfsumme (Md5)
   ArcGIS Server	ArcGIS-1061-S-SEC2019U2-Patch.msp	3C036117A745CDB36C91F3B7A385BB05
   ArcGIS 10.5.1		Prüfsumme (Md5)
   ArcGIS Server	ArcGIS-1051-S-SEC2019U2-Patch.msp	DD873DE98FE071387B778F789831CB8E
   ArcGIS 10.4.1		Prüfsumme (Md5)
   ArcGIS Server	ArcGIS-1041-S-SEC2019U2-Patch.msp	F9BC234194DDC49FC06E48662D36A51C

   
   
3. Stellen Sie sicher, dass Sie Schreibzugriff auf das ArcGIS-Installationsverzeichnis besitzen.
4. 
   
5. Doppelklicken Sie auf "ArcGIS-<Version>-S-SEC2019U2-Patch.msp", um das Setup zu starten.
   
   HINWEIS: Wird durch Doppelklicken auf die MSP-Datei die Setup-Installation nicht gestartet, können Sie die Setup-Installation mit dem folgenden Befehl manuell starten:
   
   
   msiexec.exe /p [Speicherort des Patch]\ArcGIS-<Version>-S-SEC2019U2-Patch.msp
   
6. 
   

Führen Sie die folgenden Installationsschritte als Besitzer der ArcGIS-Installation aus. Der Besitzer der Installation ist der Besitzer des ArcGIS-Ordners.

Vor der Installation dieses Patch muss ArcGIS Server installiert werden.

1. Laden Sie die entsprechende Datei an einen anderen Speicherort als den ArcGIS-Installationsspeicherort herunter.
   
   
   

   ArcGIS 10.7.1		Prüfsumme (Md5)
   ArcGIS Server	ArcGIS-1071-S-SEC2019U2-Patch-linux.tar	9677040ED07CB6631E016A06CD490B1D
   ArcGIS 10.6.1		Prüfsumme (Md5)
   ArcGIS Server	ArcGIS-1061-S-SEC2019U2-Patch-linux.tar	403D97A96208C485ABF4A5502E045D04
   ArcGIS 10.5.1		Prüfsumme (Md5)
   ArcGIS Server	ArcGIS-1051-S-SEC2019U2-Patch-linux.tar	E87D45EB8029A9C8E39A685BDBBC9870
   ArcGIS 10.4.1		Prüfsumme (Md5)
   ArcGIS Server	ArcGIS-1041-S-SEC2019U2-Patch-linux.tar	06A560BB73F8A502B31E8E5F951A405B

   
   
2. Stellen Sie sicher, dass Sie Schreibzugriff auf das ArcGIS-Installationsverzeichnis haben und ArcGIS durch keinen anderen Benutzer verwendet wird.
3. 
   
4. Extrahieren Sie die jeweilige TAR-Datei durch Eingabe des folgenden Befehls:
   
   
   % tar -xvf ArcGIS-<Version>-S-SEC2019U2-Patch-linux.tar
5. 
   
6. Starten Sie die Installation durch die Eingabe des folgenden Befehls:
   
   
   % ./applypatch
   
   
   Es erscheint ein Dialogfeld für die menügesteuerte Installation. Die Standardauswahloptionen sind in Klammern ( ) angegeben. Die Installation kann jederzeit durch die Eingabe von "q" abgebrochen werden.
7. 
   

Um diesen Patch unter Windows zu deinstallieren, öffnen Sie die Windows-Systemsteuerung und navigieren Sie zu "Programme und Funktionen". Stellen Sie sicher, dass "Installierte Updates anzeigen" (links oben im Dialogfeld "Programme und Funktionen") aktiv ist. Wählen Sie den Patch-Namen in der Liste der Programme aus und klicken Sie auf "Deinstallieren", um den Patch zu entfernen.

Dieser Patch kann nur bei Version 10.5.1 und höher deinstalliert werden. Um diesen Patch zu entfernen, navigieren Sie zum Verzeichnis "/tmp" und führen das folgende Skript als Besitzer der ArcGIS-Installation aus:


Hinweise: Sie können nur den zuletzt installierten Patch entfernen.

Prüfen Sie auf der Seite Patches und Service Packs regelmäßig, ob zusätzliche Patches zur Verfügung stehen. Neue Informationen zu diesem Patch werden hier veröffentlicht.

Um zu ermitteln, welche ArcGIS-Produkte auf dem Rechner installiert sind, wählen Sie die entsprechende Version des PatchFinder-Dienstprogramms für Ihre Umgebung, und führen Sie sie auf dem lokalen Computer aus. PatchFinder listet alle installierten Produkte, Hotfixes und Patches auf dem lokalen Computer auf.

US-Kunden wenden sich bitte an den technischen Support von Esri unter +1 888 377 4575, falls Probleme beim Installieren des Patch auftreten. Kunden außerhalb der USA wenden sich bitte an den jeweiligen Esri Softwaredistributor vor Ort.