Patches and updates

ArcGIS 10.2 for Server Security Patch (September 2013)

Published: September 5, 2013

Summary

This patch addresses security vulnerabilities that affect ArcGIS 10.2 for Server. It is recommended that all ArcGIS Server customers apply this patch immediately.

Description

Esri® announces the ArcGIS 10.2 for Server Security Patch (September 2013). This patch addresses a persistent cross-site scripting vulnerability that requires administrative access in order to exploit. For further details please read the knowledge base article 41468.

This patch also addresses a vulnerability that allows authenticated administrators to upload any type of file including potentially unsafe files.

This patch also provides a new security option for administrators. ArcGIS for Server allows tokens to be acquired through HTTP GET requests. This patch provides a new option to only grant tokens when an HTTP POST is used. HTTP GET requests expose credentials in the request URL in plain text format which may be stored in browser history or in network components. To learn more about this feature and how to activate it, please see the following help topics:

Finally the patch addresses a SQL-injection vulnerability that affects ArcGIS for Server deployments with relational databases such as SQL Server, Oracle, PostgreSQL, DB2, or Informix. The SQL-injection vulnerability allows unauthorized modification of data. It deals specifically with the issues listed below under Issues Addressed with this Patch.

 

Issues Addressed with this Patch

  • NIM092795 - The File Upload Filter for mobile content directories should block an upload of unwanted file types.
  • NIM092820 - The Mobile Content Directory in ArcGIS Server 10.1 SP1 has persistent cross site scripting vulnerabilities.
  • NIM092841 - Add a configurable property to the ArcGIS token service that disables support for HTTP GET.
  • NIM094447 - There is a SQL injection vulnerability in map and feature services that allows unauthorized modification of data.
  • NIM094481 - When StandardizedQueries is True, a map service's query operation ignores the definition expression set on the layer in the source map document when outStatistics gets used.
  • NIM097252 - Asking for the extent of a 10.x fileGDB or SDE feature class after copy and paste returns none even if features exist.

 

Files Installed with this Patch

Under <ArcGIS Product Installation>/bin:
  • BasemapLayer.dll
    FileGDB.dll
    GdbCore.dll
    GdbCoreLib.dll
    GdbNetwork.dll
    KmlConverterX.dll
    MappingCoreLib.dll
    MappingServicesLib.dll
    MapServerX.dll
    OleFDB.dll
    sde.dll
    SdeFDB.dll
Under <ArcGIS Product Installation>/framework/lib/server:
  • arcgis-admin.jar
    arcgis-mcs-framework.jar
    arcgis-resources.jar
    arcgis-securitylib.jar
Under <ArcGIS Product Installation>/framework/runtime/tomcat/webapps:
  • arcgis#mobile
Under <ArcGIS Product Installation>/framework/runtime/tomcat/webapps/arcgis#services/WEB-INF/lib:
  • arcgis-securitylib.jar
Under <ArcGIS Product Installation>/framework/runtime/tomcat/webapps/arcgis#rest/WEB-INF/lib:
  • arcgis-securitylib.jar
Under <ArcGIS Product Installation>/framework/runtime/tomcat/webapps/arcgis#mobile/WEB-INF/lib:
  • arcgis-securitylib.jar
Under <ArcGIS Product Installation>/framework/runtime/tomcat/webapps/arcgis#tokens/WEB-INF/lib:
  • arcgis-securitylib.jar

Installing this Patch on Windows

Installation Notes:

System Administrators: A technical paper is available that discusses the enterprise deployment of ArcGIS 10.2 setups using Microsoft Systems Management Server (SMS), System Center Configuration Manager (SCCM), and Group Policy, including additional system requirements, suggestions, known issues, and Microsoft Software Installation (MSI) command line parameters. Deployment in a lockdown environment is also covered. ArcGIS 10.2 Enterprise Deployment.

Installation Steps:

ArcGIS 10.2 for Server must be installed before you can install this patch.

  1. Download the appropriate file to a location other than your ArcGIS installation location.

        Checksum (Md5)
    ArcGIS for Server ArcGIS-102-S-SSEC-PatchB.msp 54A87BFCD807F6E8E4965D9DAA7C0C8B

  2. Make sure you have write access to your ArcGIS installation location.
  3. Double-click ArcGIS-102-S-SSEC-PatchB.msp to start the install process.

    NOTE: If double clicking on the MSP file does not start the setup installation, you can start the setup installation manually by using the following command:

    msiexec.exe /p [location of Patch]\ArcGIS-102-S-SSEC-PatchB.msp

 

Installing this Patch on Linux

Installation Notes:

System Administrators: A technical paper is available that discusses the enterprise deployment of ArcGIS 10.2 setups using Microsoft Systems Management Server (SMS), System Center Configuration Manager (SCCM), and Group Policy, including additional system requirements, suggestions, known issues, and Microsoft Software Installation (MSI) command line parameters. Deployment in a lockdown environment is also covered. ArcGIS 10.2 Enterprise Deployment.

Installation Steps:

Complete the following install steps as the ArcGIS Install owner. The Install owner is the owner of the arcgis folder.

ArcGIS 10.2 for Server must be installed before you can install this patch.

  1. Download the appropriate file to a location other than your ArcGIS installation location.

        Checksum (md5)
    ArcGIS Server ArcGIS-102-S-SSEC-PatchB-lx.tar A63194EF54AB9F46FAB865C3D38C71F7

  2. Make sure you have write access to your ArcGIS installation location, and that no one is using ArcGIS.
  3. Extract the specified tar file by typing:

    % tar -xvf ArcGIS-102-S-SSEC-PatchB-lx.tar

  4. Start the Installation by typing:

    % ./applypatch

    This will start the dialog for the menu-driven setup procedure. Default selections are noted in parentheses ( ). To quit the setup procedure, type 'q' at any time.

 

Patch Updates

Check the Patches and Service Packs page periodically for the availability of additional patches. New information about this patch will be posted here.

December 19, 2013: This patch was updated on December 19 to resolve an issue requesting the extents of a Geodatabase feature class through python (NIM097252). Customers who downloaded this patch prior to December 13 please install the latest version of the patch to update the patch.

How to identify which ArcGIS products are installed

To determine which ArcGIS products are installed, choose the appropriate version of the PatchFinder utility for your environment and run it from your local machine. PatchFinder will list all products, hot fixes, and patches installed on your local machine.

  • PatchFinder for Windows
  • PatchFinder for Unix/Linux

Getting Help

Domestic sites, please contact Esri Technical Support at 1-888-377-4575, if you have any difficulty installing this patch. International sites, please contact your local Esri software distributor.



Download ID:2009

Get help from ArcGIS experts

Contact technical support

Download the Esri Support App

Go to download options