ArcGIS Server Security 2023 Update 1 Patch

Esri announces the ArcGIS Server Security 2023 Update 1 Patch. Esri recommends that all customers using ArcGIS Server 11.0, 10.9.1, and 10.8.1 apply this patch. This patch deals specifically with the issues listed below. 

Note: This security patch is cumulative and includes several security and non-security related fixes from earlier patches that are also listed below under Issues Addressed with this Patch.

• BUG-000154070 - Stored XSS issue in the ArcGIS REST Services directory
• BUG-000158075 - Stored XSS issue in ArcGIS Server
• BUG-000155043 - Append operation on an editor tracking enabled layer, updates created user field with editing user when upsert=true and skipInserts=true (10.9.1, 10.8.1 only)
• BUG-000154221 - After installing the ArcGIS for Server Security 2022 Update 1 or 2 Patch , the KML region URL of a map service is invalid.
• BUG-000153493 - Installing ArcGIS Server Security 2022 Update 1 or 2 Patch affects the access to existing Workflow Manager (Classic) feature services.
• BUG-000153438 - After installing the ArcGIS Server Security 2022 patch, ArcGIS Server services folders become inaccessible at the REST endpoint if it has a period (.) in the name.
• BUG-000133297 - Size of server.xml keeps increasing (10.9.1, 10.8.1 only)

To Avoid Conflicts the 10.9.1 version also addresses:

• BUG-000154194 - Service creation in a single folder can cause failure to create services on high specification machines in an ArcGIS Server site.
• BUG-000152562 - Slow performance when loading ArcGIS Server feature service with returnAdvancedSymbols parameter in the request URL.
• BUG-000152121 - Directory traversal vulnerability in ArcGIS Server.
• BUG-000152111 - Mobile workers should not be able to query or edit assignments not assigned to them when accessing the assignments feature service outside of the Workforce mobile app.
• BUG-000151727 - WMTS-Capabilities file cannot be retrieved after installation of the ArcGIS Server Security 2022 Update 1 Patch.
• BUG-000151381 - Members assigned roles without the edit privilege are unable to edit publicly shared hosted feature layers that have editing, edit tracking and public data collection enabled.
• BUG-000150540 - Reflected XSS vulnerability in ArcGIS Server.
• BUG-000150537 - ArcGIS Server has a local file inclusion (LFI) vulnerability.
• BUG-000148347 - Unvalidated redirect issue in ArcGIS Server.
• BUG-000148146 - Applying the ArcGIS Server Log4j Patch on an AWS (Amazon Web Services) deployment may cause a machine to be removed from the ArcGIS Server site.
• BUG-000147840 - The Search GET response from an ArcGIS Knowledge Server displays "compressed_frames == true" even though the frames are not compressed.
• BUG-000146564 - Querying a hosted feature service with the returnIdsOnly=true parameter to return several million features, permanently loads the CPU of the hosting GIS server to 100% and makes it inaccessible until restarting the service.
• BUG-000146513 - Reflected XSS vulnerability in ArcGIS Server.
• BUG-000145681 - Create service fails when the knowledge server does not include GIS Server license.
• BUG-000145551 - Attempting to display a hosted feature layer in Portal for ArcGIS 10.9.1 after a transformation configuration from WGS 1984 to ITM fails.
• BUG-000145345 - Update log4j to address security vulnerabilities
• BUG-000144906 - Unable to save a generated domain list or delete an existing domain list in Portal for ArcGIS 10.9.1.
• BUG-000144441 - Renaming a machine after create site fails.
• BUG-000144172 - Remote file download issue in ArcGIS Server.

To avoid conflicts the 10.8.1 version also addresses:

• BUG-000152121 - Directory traversal vulnerability in ArcGIS Server.
• BUG-000151727 - WMTS-Capabilities file cannot be retrieved after installation of the ArcGIS Server Security 2022 Update 1 Patch.
• BUG-000150540 - Reflected XSS vulnerability in ArcGIS Server.
• BUG-000150537 - ArcGIS Server has a local file inclusion (LFI) vulnerability.
• BUG-000148710 - A hosted feature layer shared from ArcGIS Pro using ArcGIS Pro default datum transformation displays a shift in Portal Map Viewer when using Esri Basemaps as a background map.
• BUG-000148347 - Unvalidated redirect issue in ArcGIS Server.
• BUG-000148146 - Applying the ArcGIS Server Log4j Patch on an AWS (Amazon Web Services) deployment may cause a machine to be removed from the ArcGIS Server site.
• BUG-000148087 - Spatiotemporal Hosted Feature Service Views with Query Top Features ignore Object IDs in a GET Request query.
• BUG-000146513 - Reflected XSS vulnerability in ArcGIS Server.
• BUG-000146428 - Importing an ArcGIS Server site using the webgisdr utility returns a null error.
• BUG-000145345 - Update log4j to address security vulnerabilities
• BUG-000145107 - Unable to access secure services in Portal for ArcGIS 10.8.1 when using a token generated using application credentials.
• BUG-000144252 - Hosted Feature Service Views with Query Top Features (Top Filter parameter) definition ignore Object IDs in a GET Request query.
• BUG-000144172 - Remote file download issue in ArcGIS Server.
• BUG-000142204 - Setting a field invisible in a hosted feature service view needs to hide the field references from the templates.
• BUG-000142180 - Hosted feature services vulnerable to XSS.
• BUG-000142120 - SQL injection vulnerability in ArcGIS Server.
• BUG-000140344 - Unable to display or edit filters for hosted layer views in ArcGIS Enterprise Portal.
• BUG-000139857 - Remote file inclusion vulnerability in the ArcGIS Server help documentation.
• BUG-000138234 - The WebGIS DR backup fails when attempting to create a service.
• BUG-000137668 - Stored XSS vulnerability in ArcGIS Server Services Directory
• BUG-000137663 - Stored XSS vulnerability in ArcGIS Server
• BUG-000137662 - Reflected XSS in ArcGIS Server
• BUG-000137658 - SSRF vulnerability in ArcGIS Server Manager.
• BUG-000135919 - When an ArcGIS Server site import fails while using the WebGIS DR utility tool due to returning a null error, the site is not returned to a functional state.
• BUG-000135918 - Importing an ArcGIS Server site using the webgisdr utility returns a null error.
• BUG-000135563 - If the field name is named with multibyte strings, using the WHERE clause as the query operation with the field fails.
• BUG-000134113 - Only update service iteminfo when the Item Description fields are purposefully edited within Server Manager.
• BUG-000133232 - Add support in ArcGIS Server to ensure ArcGIS Enterprise portal members with custom roles are able to delete their own services when the role includes administrative privileges such as 'View all members' and publisher privileges.
• BUG-000132999 - In a multi-machine ArcGIS Server site, the restore process may not successfully unregister, and re-register the additional nodes.
• BUG-000132034 - In Portal for ArcGIS, when the name of the attachment file is Japanese, an attached file is unable to open but can be downloaded.
• BUG-000131992 - Reflected cross-site scripting (XSS) vulnerability in ArcGIS Server.
• BUG-000128912 - The usage report in the ArcGIS Server statistics does not generate an accurate result as it shows the value 2147483647 if instances in use reach the max instance under the ServiceRunningInstancesMax metric.
• BUG-000127160 - Error enabling Location Tracking when the configuration store is in the cloud storage.

This patch should be installed on all ArcGIS Server installations related to the ArcGIS Server site.

The ArcGIS product listed in the table must be installed on your system before you can install a patch. Each patch setup is specific to the ArcGIS product in the list. To determine which products are installed on your system, please see the How to identify which ArcGIS products are installed section. Esri recommends that you install the patch for each product that is on your system.

For ArcGIS Server 10.9.1, the ArcGIS Server 10.9.1 Setup Program Patch is a mandatory prerequisite for installing this patch on Windows. Please download and install the ArcGIS Server 10.9.1 Setup Program Patch before attempting to install this patch.

1. Download the appropriate file to a location other than your ArcGIS installation location

 2. Make sure you have write access to your ArcGIS installation location.

 3. Double-click ArcGIS-<Version>-S-SEC2023U1-Patch.msp to start the setup process.

NOTE: If double clicking on the MSP file does not start the setup installation, you can start the setup installation manually by using the following command:

Complete the following install steps as the ArcGIS Install owner. The Install owner is the owner of the arcgis folder. This patch should be installed on all ArcGIS Server installations related to the ArcGIS Server site.

The ArcGIS product listed in the table must be installed on your system before you can install a patch. Each patch setup is specific to the ArcGIS product in the list. To determine which products are installed on your system, please see the How to identify which ArcGIS products are installed section. Esri recommends that you install the patch for each product that is on your system.

1. Download the appropriate file to a location other than your ArcGIS installation location.
   
   

2. Make sure you have write access to your ArcGIS installation location, and that no one is using ArcGIS.

3. Extract the specified tar file by typing:

  4. Start the installation by typing:

This will start the dialog for the menu-driven installation procedure. Default selections are noted in parentheses ( ). To quit the installation procedure, type 'q' at any time.

To uninstall this patch on Windows, open the Windows Control Panel and navigate to installed programs. Make sure that "View installed updates" (upper left side of the Programs and Features dialog) is active. Select the patch name from the programs list and click Uninstall to remove the patch.

To remove this patch on versions 10.7 and higher, navigate to the <Product Installation Directory>/.Setup/qfe directory and run the following script as the ArcGIS Install owner:

Restart your ArcGIS services.

Check the Patches and Service Packs page periodically for the availability of additional patches. New information about this patch will be posted here.

To determine which ArcGIS products are installed, choose the appropriate version of the PatchFinder utility for your environment and run it from your local machine. PatchFinder will list all products, hot fixes, and patches installed on your local machine.

PatchFinder for Windows

PatchFinder for Linux/Unix