Esri has discovered a critical vulnerability in the Portal for ArcGIS component of ArcGIS Enterprise, resulting in a Server-Side Request Forgery (SSRF) issue. There is a specific known exploit vector for deployments running on infrastructure in Amazon Web Services (AWS), though customers running in other cloud environments may be impacted, depending on the specific cloud provider. Regardless of where ArcGIS Enterprise is being run, Esri always recommends installing the latest patches for all ArcGIS Enterprise software.
All versions prior to ArcGIS Enterprise 10.8 on both Windows and Linux are impacted by this security issue. Esri has released patches for all current versions of ArcGIS Enterprise, from version 10.5 through 10.7.1. ArcGIS 10.3.x and 10.4.x are in mature support status. Esri does not provide patches for products in the mature or retired support phases; more information regarding this can be found in the Esri Product Lifecycle Policy.
This patch was released to address a known defect, BUG-000128058.
To address this vulnerability, Esri strongly recommends that all customers running ArcGIS Enterprise install the Portal for ArcGIS Security 2020 Update 1 patch as soon as possible. This patch is available for ArcGIS Enterprise versions 10.5 – 10.7.1 and can be downloaded from the Esri Support website. This includes a fix for this issue, along with other recommended fixes for security issues. ArcGIS Enterprise 10.8 includes the fixes and does not require a patch.
For any questions about this patch and resolving the security vulnerability, please contact Esri Technical Support to resolve this issue.