Patches and updates

ArcGIS Server Directory Traversal Vulnerability Patch

Published: September 14, 2022

Summary

This security patch addresses a security vulnerability found in ArcGIS Server. Esri recommends that all customers using ArcGIS Server 11.0 and 10.9 apply this patch.

Description

Important note October 14, 2022: New setups have been made available to resolve an installation issue which was preventing both the Portal for ArcGIS 11.0 Workflow Manager Web App Patch and the ArcGIS Server 11.0 Directory Traversal Vulnerability Patch from being able to install on the same machine.

EsriĀ® announces the ArcGIS Server Directory Traversal Vulnerability Patch. Esri recommends that all customers using ArcGIS Server 11.0 and 10.9 apply this patch. This patch deals specifically with the issue listed below under Issues Addressed with this patch.

This security patch is cumulative and includes several security and non-security related fixes from earlier patches that are also listed below under Issues Addressed with this Patch.

Important Note: BUG-000152121 is addressed for versions 10.7.1, 10.8.1, and 10.9.1 in the ArcGIS Server Security 2022 Update 2 Patch.

Issues Addressed with this patch


  • BUG-000152121 - Directory traversal vulnerability in ArcGIS Server

To avoid conflicts on 10.9 this patch also addresses:
  • BUG-000148146 - Applying the ArcGIS Server Log4j Patch on an AWS (Amazon Web Services) deployment may cause a machine to be removed from the ArcGIS Server site.
  • BUG-000145345 - Update log4j to address security vulnerabilities
  • BUG-000142204 - Setting a field invisible in a hosted feature service view needs to hide the field references from the templates.
  • BUG-000142180 - Hosted feature services vulnerable to XSS.
  • BUG-000142120 - SQL injection vulnerability in ArcGIS Server.
  • BUG-000141023 - Remove restrictions on interval parameters when used in enterprise hosted feature service layer queries.
  • BUG-000141022 - Hosted feature services in Enterprise need to return uncompressed responses when requested.
  • BUG-000139857 - Remote file inclusion vulnerability in the ArcGIS Server help documentation.

Installing this patch on Windows


Installation Steps:


The ArcGIS product listed in the table must be installed on your system before you can install a patch. Each patch setup is specific to the ArcGIS product in the list. To determine which products are installed on your system, please see the How to identify which ArcGIS products are installed section. Esri recommends that you install the patch for each product that is on your system.

  1. Download the appropriate file to a location other than your ArcGIS installation location.

    ArcGIS Enterprise  
       
    ArcGIS Server 11.0 ArcGIS-110-S-DTV-PatchB.msp
         Checksum
         (SHA256)    		 8DB30866A94364B39AAD96F2869F9A8C0E2C5A8EA5CE48C5DEE712B62672C2B6
       
       
    ArcGIS Server 10.9 ArcGIS-109-S-DTV-Patch.msp
         Checksum
         (SHA256)    		 C6B0BF8C2CF69D62E127281FD56BCD1C955CD3A3B364813C5A135E0039C15E8A
       

  2. Make sure you have write access to your ArcGIS installation location.
  3. Double-click ArcGIS-<Version>-S-DTV-Patch.msp to start the setup process.

    NOTE: If double clicking on the MSP file does not start the setup installation, you can start the setup installation manually by using the following command:


    msiexec.exe /p [location of Patch]\ArcGIS-<Version>-S-DTV-Patch.msp

Installing this patch on Linux


Installation Steps:


Complete the following install steps as the ArcGIS Install owner. The Install owner is the owner of the arcgis folder.

The ArcGIS product listed in the table must be installed on your system before you can install a patch. Each patch setup is specific to the ArcGIS product in the list. To determine which products are installed on your system, please see the How to identify which ArcGIS products are installed section. Esri recommends that you install the patch for each product that is on your system.

  1. Download the appropriate file to a location other than your ArcGIS installation location.


    ArcGIS Enterprise  
       
    ArcGIS Server 11.0 ArcGIS-110-S-DTV-PatchB-linux.tar
         Checksum
         (SHA256)    		 96D98590114FD5A2BD39BED894150768F596C464C84E5DE4B45FCB4222F96784
       
    ArcGIS Server 10.9 ArcGIS-109-S-DTV-Patch-linux.tar
         Checksum
         (SHA256)    		 8DD475E1E2A4993F4E5820592586C091E82B0FD1D197285982BBF6E33379C298
       

  2. Make sure you have write access to your ArcGIS installation location, and that no one is using ArcGIS.
  3. Extract the specified tar file by typing:

    % tar -xvf ArcGIS-<Version>-S-DTV-Patch-linux.tar
  4. Start the installation by typing:

    % ./applypatch

    This will start the dialog for the menu-driven installation procedure. Default selections are noted in parentheses ( ). To quit the installation procedure, type 'q' at any time.

Upgrade a geodatabase

When a hotfix or patch for ArcGIS has been applied, it may also be necessary to upgrade your geodatabase. See the Upgrade the Geodatabase section on the Geodatabase management page for your individual DBMS platform for more information.


Uninstalling this patch on Windows


  • To uninstall this patch on Windows, open the Windows Control Panel and navigate to installed programs. Make sure that "View installed updates" (upper left side of the Programs and Features dialog) is active. Select the patch name from the programs list and click Uninstall to remove the patch.

Uninstalling this patch on Linux


  • To remove this patch on versions 10.7 and higher, navigate to the <Product Installation Directory>/.Setup/qfe directory and run the following script as the ArcGIS Install owner:


    ./removepatch.sh

    The removepatch.sh script allows you to uninstall previously installed patches or hot fixes. Use the -s status flag to get the list of installed patches or hot fixes ordered by date. Use the -q flag to remove patches or hot fixes in reverse chronological order by date they were installed. Type removepatch -h for usage help.

  • Restart your ArcGIS services

Patch Updates

Check the Patches and Service Packs page periodically for the availability of additional patches. New information about this patch will be posted here.

How to identify which ArcGIS products are installed

To determine which ArcGIS products are installed, choose the appropriate version of the PatchFinder utility for your environment and run it from your local machine. PatchFinder will list all products, hot fixes, and patches installed on your local machine.

Getting Help

Domestic sites, please contact Esri Technical Support at 1-888-377-4575, if you have any difficulty installing this patch. International sites, please contact your local Esri software distributor.


Download ID:8063

Get help from ArcGIS experts

Contact technical support

Download the Esri Support App

Go to download options