Esri has discovered a critical vulnerability in the ArcGIS Server component of ArcGIS Enterprise resulting in a Server Side Request Forgery (SSRF) issue. There is a specific known exploit vector for deployments running on infrastructure in Amazon Web Services (AWS) but this vulnerability can apply to any environment, depending on the configuration. Customers are at risk of having internal information accessed by unauthorized individuals. Depending on their infrastructure configuration they may also be at risk of having unauthorized individuals gain administrative control over, or insight into, infrastructure.
All versions prior to ArcGIS Server 10.8 on both Windows and Linux are impacted by this security issue. Esri has released patches for all supported versions of ArcGIS Server, from version 10.4 through 10.7.1.
This patch was released in order to address a known defect, BUG-000128060 .
To address this vulnerability, Esri strongly recommends all customers running ArcGIS Server install the ArcGIS Server Security 2020 Update 1 patch as soon as possible. This patch is available for ArcGIS Enterprise 10.4 – 10.7.1. and can be downloaded from the Esri Support website. This includes a fix for this issue, along with other recommended fixes for security issues. ArcGIS Server 10.8 includes the fixes and does not require a patch.
For any questions about this patch and resolving the security vulnerability, please contact Esri Technical Support, or your Esri distributor (for customers outside the United States) to resolve this issue.