Esri has released a security patch to address serious vulnerabilities in the Web Adaptor for IIS. This patch should be applied immediately. The Web Adaptor for the Java platform is not affected by these vulnerabilities.
NIM102891 – ArcGIS Web Adaptor on IIS does not enforce authorization on a restricted URL - (CWE-425)
An interface on the web adaptor can be reached and modified by remote machines. An attacker can potentially reach the interface directly, which can facilitate unauthorized disclosure of information, unauthorized modification and/or disruption of service. This vulnerability carries a CVSS Base Score of 7.5 (HIGH).
NIM102631 – ArcGIS Web Adaptor on IIS contains a cross-site scripting (XSS) vulnerability – (CWE-79)
The Web Adaptor on IIS contains a vulnerability that takes untrusted data and sends it to a web browser without proper validation or escaping. This can result in hijacked user session and redirection to malicious sites among other potential scenarios. This vulnerability carries a CVSS Base Score of 4.3 (MEDIUM).
Esri requests that customers install Security Patch - ArcGIS Web Adaptor for IIS (10.1 SP1 to 10.2.2) at the earliest opportunity.
Esri recommends minimizing the attack surface of any software deployments. Administrative interfaces such as ArcGIS Manager and the Web Adaptor configuration page should not be exposed for general Internet access.
CVSS base scores do not include temporal or environmental organization-specific factors for calculation, and the scores above align with those of other similar historical vulnerabilities.
ArcGIS 10.1 SP1, 10.2.1, and 10.2.2 Web Adaptor for IIS Security (August 2014) Patch