Patches and updates

ArcGIS Server Security 2022 Update 2 Patch

Published: September 15, 2022

Summary

This security patch addresses a security vulnerability found in ArcGIS Server. Esri recommends that all customers using ArcGIS Server 10.9.1, 10.8.1 and 10.7.1 apply this patch.

Description

EsriĀ® announces the ArcGIS Server Security 2022 Update 2 Patch. Esri recommends that all customers using ArcGIS Server 10.9.1, 10.8.1 and 10.7.1 apply this patch. This patch deals specifically with the issues listed below under Issues Addressed with this patch.

This security patch is cumulative and includes several security and non-security related fixes from earlier patches that are also listed below under Issues Addressed with this Patch.

Important Note: One of the defect included with this patch, BUG-000152121, is also addressed for versions 10.9 and 11.0 in the ArcGIS Server Directory Traversal Vulnerability Patch.

Esri has registered CVEs (Common Vulnerabilities and Exposures) and provided base and temporally adjusted Common Vulnerability Scoring System v3.1 (CVSS) scores for these issues to allow our customers to better assess risk of these vulnerabilities to their operations. Both base and modified temporal scores are provided to reflect the availability of a patch. These vulnerability details are provided in the patch advisory found here.

Issues Addressed with this patch

  • BUG-000152121 - Directory traversal vulnerability in ArcGIS Server.
  • BUG-000144906 - Unable to save a generated domain list or delete an existing domain list in Portal for ArcGIS. (10.9.1 only)

To avoid conflicts on 10.9.1 this patch also addresses:
  • BUG-000151727 - WMTS Capabilities file cannot be retrieved after installation of the ArcGIS Server Security 2022 Update 1 Patch.
  • BUG-000152111 - Mobile workers should not be able to query or edit assignments not assigned to them when accessing the assignments feature service outside of the Workforce mobile app.
  • BUG-000150540 - Reflected XSS vulnerability in ArcGIS Server.
  • BUG-000150537 - ArcGIS Server has a local file inclusion (LFI) vulnerability.
  • BUG-000148347 - Unvalidated redirect issue in ArcGIS Server.
  • BUG-000148146 - Applying the ArcGIS Server Log4j Patch on an AWS (Amazon Web Services) deployment may cause a machine to be removed from the ArcGIS Server site.
  • BUG-000147840 - The Search GET response from an ArcGIS Knowledge Server displays "compressed_frames == true" even though the frames are not compressed.
  • BUG-000146564 - Querying a hosted feature service with the returnIdsOnly=true parameter to return several million features, permanently loads the CPU of the hosting GIS server to 100% and makes it inaccessible until restarting the service.
  • BUG-000146513 - Reflected XSS vulnerability in ArcGIS Server.
  • BUG-000145681 - Create service fails when the knowledge server does not include GIS Server license.
  • BUG-000145551 - Attempting to display a hosted feature layer in Portal for ArcGIS 10.9.1 after a transformation configuration from WGS 1984 to ITM fails.
  • BUG-000145345 - Update log4j to address security vulnerabilities
  • BUG-000144441 - Renaming a machine after create site fails.
  • BUG-000144172 - Remote file download issue in ArcGIS Server.
To avoid conflicts on 10.8.1 this patch also addresses:
  • BUG-000152111 - Mobile workers should not be able to query or edit assignments not assigned to them when accessing the assignments feature service outside of the Workforce mobile app.
  • BUG-000151727 - WMTS Capabilities file cannot be retrieved after installation of the ArcGIS Server Security 2022 Update 1 Patch.
  • BUG-000150540 - Reflected XSS vulnerability in ArcGIS Server.
  • BUG-000150537 - ArcGIS Server has a local file inclusion (LFI) vulnerability.
  • BUG-000148710 - A hosted feature layer shared from ArcGIS Pro using ArcGIS Pro default datum transformation displays a shift in Portal Map Viewer when using Esri Basemaps as a background map.

    Note: The full resolution of BUG-000148710 requires an additional fix for BUG-000137729 that is included in a separate hot fix available by request through Esri Technical Support.

  • BUG-000148347 - Unvalidated redirect issue in ArcGIS Server.
  • BUG-000148146 - Applying the ArcGIS Server Log4j Patch on an AWS (Amazon Web Services) deployment may cause a machine to be removed from the ArcGIS Server site.
  • BUG-000148087 - Spatiotemporal Hosted Feature Service Views with Query Top Features ignore Object IDs in a GET Request query.
  • BUG-000146513 - Reflected XSS vulnerability in ArcGIS Server.
  • BUG-000146428 - Importing an ArcGIS Server site using the webgisdr utility returns a null error.
  • BUG-000145345 - Update log4j to address security vulnerabilities
  • BUG-000145107 - Unable to access secure services in Portal for ArcGIS 10.8.1 when using a token generated using application credentials.
  • BUG-000144252 - Hosted Feature Service Views with Query Top Features (Top Filter parameter) definition ignore Object IDs in a GET Request query.
  • BUG-000144172 - Remote file download issue in ArcGIS Server.
  • BUG-000142204 - Setting a field invisible in a hosted feature service view needs to hide the field references from the templates.
  • BUG-000142180 - Hosted feature services vulnerable to XSS.
  • BUG-000142120 - SQL injection vulnerability in ArcGIS Server.
  • BUG-000140344 - Unable to display or edit filters for hosted layer views in ArcGIS Enterprise Portal.
  • BUG-000139857 - Remote file inclusion vulnerability in the ArcGIS Server help documentation.
  • BUG-000138234 - The WebGIS DR backup fails when attempting to create a service.
  • BUG-000137668 - Stored XSS vulnerability in ArcGIS Server Services Directory
  • BUG-000137663 - Stored XSS vulnerability in ArcGIS Server
  • BUG-000137662 - Reflected XSS in ArcGIS Server
  • BUG-000137658 - SSRF vulnerability in ArcGIS Server Manager.
  • BUG-000135919 - When an ArcGIS Server site import fails while using the WebGIS DR utility tool due to returning a null error, the site is not returned to a functional state.
  • BUG-000135918 - Importing an ArcGIS Server site using the webgisdr utility returns a null error.
  • BUG-000135563 - If the field name is named with multibyte strings, using the WHERE clause as the query operation with the field fails.
  • BUG-000134113 - Only update service iteminfo when the Item Description fields are purposefully edited within Server Manager.
  • BUG-000133232 - Add support in ArcGIS Server to ensure ArcGIS Enterprise portal members with custom roles are able to delete their own services when the role includes administrative privileges such as 'View all members' and publisher privileges.
  • BUG-000132999 - In a multi-machine ArcGIS Server site, the restore process may not successfully unregister, and re-register the additional nodes.
  • BUG-000131992 - Reflected cross-site scripting (XSS) vulnerability in ArcGIS Server.
  • BUG-000127160 - Error enabling Location Tracking when the configuration store is in the cloud storage.
To avoid conflicts on 10.7.1 this patch also addresses:
  • BUG-000151727 - WMTS Capabilities file cannot be retrieved after installation of the ArcGIS Server Security 2022 Update 1 Patch.
  • BUG-000150540 - Reflected XSS vulnerability in ArcGIS Server.
  • BUG-000150537 - ArcGIS Server has a local file inclusion (LFI) vulnerability.
  • BUG-000148347 - Unvalidated redirect issue in ArcGIS Server.
  • BUG-000146513 - Reflected XSS vulnerability in ArcGIS Server.
  • BUG-000145345 - Update log4j to address security vulnerabilities
  • BUG-000144172 - Remote file download issue in ArcGIS Server.
  • BUG-000142204 - Setting a field invisible in a hosted feature service view needs to hide the field references from the templates.
  • BUG-000142120 - SQL injection vulnerability in ArcGIS Server.
  • BUG-000139857 - Remote file inclusion vulnerability in the ArcGIS Server help documentation.
  • BUG-000137668 - Stored XSS vulnerability in ArcGIS Server Services Directory
  • BUG-000137663 - Stored XSS vulnerability in ArcGIS Server
  • BUG-000137662 - Reflected XSS in ArcGIS Server
  • BUG-000137658 - SSRF vulnerability in ArcGIS Server Manager.
  • BUG-000132311 - Unable to view service workspace information in Server Manager when the site's config-store is stored in S3/DynamoDB in AWS
  • BUG-000131992 - Reflected cross-site scripting (XSS) vulnerability in ArcGIS Server.
  • BUG-000130002 - 'GetFolders', 'GetDescriptions', and 'GetDescriptionsEx' requests fail in ArcGIS Server 10.7.1 deployments on Amazon Web Services.
  • BUG-000128892 - Caching with 64 or more instances on a single machine may fail despite sufficient system resources.
  • BUG-000128060 - ArcGIS Server has a Server Side Request Forgery (SSRF) security vulnerability.
  • BUG-000127160 - Error enabling Location Tracking when the configuration store is in the cloud storage.
  • BUG-000127113 - Unable to connect to identity store using Asp.net using ArcGIS Server 10.7. or later after restarting the ArcGIS Server Windows service.
  • BUG-000125331 - CreateReplica with registerExistingData needs to account for service URLs with different machine names for hosted FS
  • BUG-000125214 - Optimize the deletion of services to avoid time-outs on deployments that include a large number of services.
  • BUG-000125044 - Hosted feature service has a stored cross-site scripting (XSS) vulnerability.
  • BUG-000124991 - ArcGIS Server fails to fully import root or intermediate certificates.
  • BUG-000124867 - When attempting to download a managed map area in Collector for ArcGIS, the download fails due to an error that occurs between ArcGIS Server and the ArcGIS Web Adaptor replica access.
  • BUG-000124827 - On a multiple-machine ArcGIS Server site that has one or more cached map services that have been consumed through ArcMap or a SOAP client, publishing a service or stopping/starting a service causes all services on the machines to restart.
  • BUG-000124576 - Starting a map service with a Java SOAP server object extension (SOE) enabled fails with the error "javax/xml/bind/JAXBException".
  • BUG-000124287 - Publishing fails because enterprise database registration fails, even though it appears to work on the UI. This could happen on a machine configuration that has multiple Network cards.
  • BUG-000123103 - ArcGIS Server improperly handles an incorrect CORS origin.
  • BUG-000122285 - Scalability of 3D Scene Service is impeded by frequent reads/writes to the config store and directories.
  • BUG-000120535 - In the Operations Dashboard for ArcGIS serial chart in Portal for ArcGIS, sorting data by statistics in the Data Options configuration returns the warning message, "Cannot Access Data."
  • BUG-000113339 - Creating a backup of ArcGIS Server returns an error message, "Export operation failed. null" if a cache directory is registered when creating a cloud data store.

Installing this patch on Windows


Installation Steps:


The ArcGIS product listed in the table must be installed on your system before you can install a patch. Each patch setup is specific to the ArcGIS product in the list. To determine which products are installed on your system, please see the How to identify which ArcGIS products are installed section. Esri recommends that you install the patch for each product that is on your system.

The ArcGIS Server 10.9.1 Setup Program Patch is a mandatory prerequisite for installing this patch on Windows. Please download and install the ArcGIS Server 10.9.1 Setup Program Patch before attempting to install this patch.

  1. Download the appropriate file to a location other than your ArcGIS installation location.

    ArcGIS Enterprise  
       
    ArcGIS Server 10.9.1 ArcGIS-1091-S-SEC2022U2-Patch.msp
         Checksum
         (SHA256)    		 CA112F8207B23F972F241AAA7C60AEEF32FFD9A3DD63D5AF2817A8A38DCB6493
       
       
    ArcGIS Server 10.8.1 ArcGIS-1081-S-SEC2022U2-Patch.msp
         Checksum
         (SHA256)    		 FD7749EBB790418B68A671D21C1903560872D3D2D0FFE3E95E3FD71B7CC26778
       
       
    ArcGIS Server 10.7.1 ArcGIS-1071-S-SEC2022U2-Patch.msp
         Checksum
         (SHA256)    		 26F5337EBBB39EAC43A061E7E9862D5332FDFCD0AD4008D63E24267C30CC1302
       

  2. Make sure you have write access to your ArcGIS installation location.
  3. Double-click ArcGIS-<Version>-S-SEC2022U2-Patch.msp to start the setup process.

    NOTE: If double clicking on the MSP file does not start the setup installation, you can start the setup installation manually by using the following command:

    msiexec.exe /p [location of Patch]\ArcGIS-<Version>-S-SEC2022U2-Patch.msp

Installing this patch on Linux


Installation Steps:


Complete the following install steps as the ArcGIS Install owner. The Install owner is the owner of the arcgis folder.

The ArcGIS product listed in the table must be installed on your system before you can install a patch. Each patch setup is specific to the ArcGIS product in the list. To determine which products are installed on your system, please see the How to identify which ArcGIS products are installed section. Esri recommends that you install the patch for each product that is on your system.

  1. Download the appropriate file to a location other than your ArcGIS installation location.


    ArcGIS Enterprise  
       
    ArcGIS Server 10.9.1 ArcGIS-1091-S-SEC2022U2-Patch-linux.tar
         Checksum
         (SHA256)    		 4011DB16F63A7683E780544AAE90C48E9AC4D08B469E34D322A7FD7E1333F6A7
       
    ArcGIS Server 10.8.1 ArcGIS-1081-S-SEC2022U2-Patch-linux.tar
         Checksum
         (SHA256)    		 376CB46D3F151F48BE24AC9E5095A10899F1F1A559AD2050914992EE4D870EC6
       
    ArcGIS Server 10.7.1 ArcGIS-1071-S-SEC2022U2-Patch-linux.tar
         Checksum
         (SHA256)    		 C2929F68FB3A6D7EBEAF031082A431FBF62B4F28FC2F8E934FC646097ACE675A
       

  2. Make sure you have write access to your ArcGIS installation location, and that no one is using ArcGIS.
  3. Extract the specified tar file by typing:

    % tar -xvf ArcGIS-<Version>-S-SEC2022U2-Patch-linux.tar
  4. Start the installation by typing:

    % ./applypatch

    This will start the dialog for the menu-driven installation procedure. Default selections are noted in parentheses ( ). To quit the installation procedure, type 'q' at any time.

Upgrade a geodatabase

When a hotfix or patch for ArcGIS has been applied, it may also be necessary to upgrade your geodatabase. See the Upgrade the Geodatabase section on the Geodatabase management page for your individual DBMS platform for more information.

Uninstalling this patch on Windows

  • To uninstall this patch on Windows, open the Windows Control Panel and navigate to installed programs. Make sure that "View installed updates" (upper left side of the Programs and Features dialog) is active. Select the patch name from the programs list and click Uninstall to remove the patch.

Uninstalling this patch on Linux

  • To remove this patch on versions 10.7 and higher, navigate to the <Product Installation Directory>/.Setup/qfe directory and run the following script as the ArcGIS Install owner:

    ./removepatch.sh

    The removepatch.sh script allows you to uninstall previously installed patches or hot fixes. Use the -s status flag to get the list of installed patches or hot fixes ordered by date. Use the -q flag to remove patches or hot fixes in reverse chronological order by date they were installed. Type removepatch -h for usage help.

  • Restart your ArcGIS services

Patch Updates

Check the Patches and Service Packs page periodically for the availability of additional patches. New information about this patch will be posted here.

 

How to identify which ArcGIS products are installed

To determine which ArcGIS products are installed, choose the appropriate version of the PatchFinder utility for your environment and run it from your local machine. PatchFinder will list all products, hot fixes, and patches installed on your local machine.

Getting Help

Domestic sites, please contact Esri Technical Support at 1-888-377-4575, if you have any difficulty installing this patch. International sites, please contact your local Esri software distributor.


Download ID:8064

Get help from ArcGIS experts

Contact technical support

Download the Esri Support App

Go to download options