Patches and updates
ArcGIS for Server (Linux) Security 2016 Update 1 Patch
Esri® announces the ArcGIS for Server (Linux) Security 2016 Update 1 Patch. This patch addresses an XML External Entity (XXE) attack vulnerability that only exists on the Linux installation of ArcGIS for Server. Esri recommends that all customers using ArcGIS for Server (Linux) 10.2.2 and 10.3.1 apply this patch. The patch deals specifically with the issue listed below under Issues Addressed with this patch. While not required, Esri also recommends that all customers using ArcGIS for Server (Linux) 10.2.2 apply the ArcGIS for Server Security (January 2015) Patch.
- BUG-000092906 - Map and Image services are vulnerable to a XML external entity injection (XXE).
Complete the following install steps as the ArcGIS Install owner. The Install owner is the owner of the arcgis folder.
ArcGIS 10.2.2 or 10.3.1 for Server must be installed before installing this patch.
- Download the appropriate file to a location other than your ArcGIS installation location.
- Make sure you have write access to your ArcGIS installation location, and that no one is using ArcGIS.
- Extract the specified tar file by typing:
% tar -xvf ArcGIS-<Version>-S-SEC2016U1-Patch-lx.tar
- Start the installation by typing:
This will start the dialog for the menu-driven installation procedure. Default selections are noted in parentheses ( ). To quit the installation procedure, type 'q' at any time.
Check the Patches and Service Packs page periodically for the availability of additional patches. New information about this patch will be posted here.
To determine which ArcGIS products are installed, choose the appropriate version of the PatchFinder utility for your environment and run it from your local machine. PatchFinder will list all products, hot fixes, and patches installed on your local machine.
Domestic sites, please contact Esri Technical Support at 1-888-377-4575, if you have any difficulty installing this patch. International sites, please contact your local Esri software distributor.