Patches and updates

ArcGIS Server Feature Services Security Patch

Summary

Esri announces the ArcGIS Server Feature Services Security Patch.  Esri recommends that all customers using ArcGIS Server 11.5, 11.4, and 11.3 apply this patch. This patch deals specifically with the issues listed below under Issues addressed with this patch.

This patch can be uninstalled as outlined in the Uninstalling this patch on Windows and Uninstalling this patch on Linux sections below.

Esri recommends developing a rollback plan before installing patches. For those utilizing a highly available environment, refer to the help topic on how to apply patches in a highly available environment for guidance.

Please see Esri’s advisory here for additional information, including potential mitigation measures.

Issues addressed with this patch

  • BUG-000179884 - There is a security vulnerability in ArcGIS Server Feature Services.

To avoid conflicts the 11.5 version also addresses:

  • BUG-000178964 - Remove "hasContingentValuesDefinition": true property on layer resource for references feature services.
  • BUG-000178298 - Allow editing on simple branch versioned datasets without the ArcGIS Advanced Editing user type extension license.
  • BUG-000178209 - Remove ArcGIS Advanced Editing user type extension license checks for specific endpoints in the Version Management Service.

To avoid conflicts the 11.3 version also addresses:

  • BUG-000179221 - Blob fields always return Conflicts despite the edits being the same.
  • BUG-000178298 - Allow editing on simple branch versioned datasets without the ArcGIS Advanced Editing user type extension license.
  • BUG-000178209 - Remove ArcGIS Advanced Editing user type extension license checks for specific endpoints in the Version Management Service.
  • BUG-000176107 - Network Dataset enters in a state of failure after performing an edit.
  • BUG-000176098 - SQL Server wait event resource_semaphore contention encountered because branch versioned queries on large tables with low selectivity result in the optimizer generating massive memory grants.
  • BUG-000174795 - The conflicts operation in the REST endpoint retrieves the default representation of a feature using an incorrect moment.
  • BUG-000170853 - Taking utility network data offline as simple features passes the wrong bit value in the createReplica call.
  • BUG-000170852 - Creating associations does not honor the userGlobalIDs parameter in the applyEdits operation.
  • BUG-000167572 - Dirty areas with empty geometries are generated after validate network topology.
  • BUG-000158284 - Hosted tables fail to synchronize in distributed collaborations between ArcGIS Enterprise and ArcGIS Online.

Installing this patch on Windows

On Windows, the release date order of the patches does not matter when installing multiple patches. If an older patch is installed after a newer patch, the newer patch takes precedence and the fixes from the newer patch will remain. The ArcGIS Enterprise Patch Notification tool, when the option to install all available patches is activated, installs multiple patches in order of release date starting with oldest to newest.

The ArcGIS product listed in the table must be installed on your system before you can install a patch. Each patch setup is specific to the ArcGIS product in the list. To determine which products are installed on your system, please see the How to identify which ArcGIS products are installed section. Esri recommends that you install the patch for each product that is on your system.
 

Step 1: Download the appropriate file to a location other than your ArcGIS installation location.

ArcGIS Enterprise   
   
     ArcGIS Server 11.5 ArcGIS-115-S-FSS-Patch.msp
     Checksum
     (SHA256)		 09B40897EDFE9081729CD4AF4E7208EABF59B309653305FABA2C10D1D123A416
   
     ArcGIS Server 11.4 ArcGIS-114-S-FSS-Patch.msp
     Checksum
     (SHA256)		 78FD4FC066FF87916065A8AC50880B99A819637FD15047A251147E1AB86769C4
   
     ArcGIS Server 11.3 ArcGIS-113-S-FSS-Patch.msp
     Checksum
     (SHA256)		 6A1DDF7DA5115011DEBA33F8CB7C14905DB37D0EB90F3B832A8A9BD04A172355
   

Step 2: Make sure you have write access to your ArcGIS installation location.

Step 3: Double-click ArcGIS-<Version>-S-FSS-Patch.msp to start the setup process.

NOTE: If double clicking on the MSP file does not start the setup installation, you can start the setup installation manually by using the following command:

msiexec.exe /p [location of Patch]\ArcGIS-<Version>-S-FSS-Patch.msp
 

Installing this patch on Linux

On Linux, the release date order of the patches matters when installing multiple patches. If an older patch is installed after a newer patch, the older patch will replace the newer patch and the fixes in the newer patch will be removed. The ArcGIS Enterprise Patch Notification tool, when the option to install all available patches is activated, installs multiple patches in order of release date starting with oldest to newest.

Complete the following install steps as the ArcGIS Install owner. The Install owner is the owner of the arcgis folder. This patch should be installed on all ArcGIS Server installations related to the ArcGIS Server site.

The ArcGIS product listed in the table must be installed on your system before you can install a patch. Each patch setup is specific to the ArcGIS product in the list. To determine which products are installed on your system, please see the How to identify which ArcGIS products are installed section. Esri recommends that you install the patch for each product that is on your system.


Step 1: Download the appropriate file to a location other than your ArcGIS installation location.

ArcGIS Enterprise   
   
     ArcGIS Server 11.5 ArcGIS-115-S-FSS-Patch-linux.tar
     Checksum
     (SHA256)		 650B8F91831F9660F82B9098846C7A3DAC2AF7CE0DE95CA5F23BCE677853565C
   
     ArcGIS Server 11.4 ArcGIS-114-S-FSS-Patch-linux.tar
     Checksum
     (SHA256)		 950DDFB608ED379288C43887C5364553E0CC7D2108C9365428AB5B56814AC85F
   
     ArcGIS Server 11.3 ArcGIS-113-S-FSS-Patch-linux.tar
     Checksum
     (SHA256)		 4B2B793D40CD7C7EA865801C8A8D5CFE0EB77A2E4A73DF012C8CA95D92315804
   

Step 2: Make sure you have write access to your ArcGIS installation location, and that no one is using ArcGIS.

Step 3: Extract the specified tar file by typing:

% tar -xvf ArcGIS-<Version>-S-FSS-Patch-linux.tar

Step 4: Start the installation by typing:

% ./applypatch

This will start the dialog for the menu-driven installation procedure. Default selections are noted in parentheses ( ). To quit the installation procedure, type 'q' at any time.

 

Upgrade a geodatabase

When installing this patch, it is necessary to upgrade your geodatabase to achieve full value from the fixes included. See the Upgrade the Geodatabase section on the Geodatabase management page for your individual DBMS platform for more information. Executing the steps below will not cause any harm if your geodatabase is already at the required level, so the recommended approach is to follow the steps as outlined. If your database is already at the required level, you will get a message indicating so.

Upgrading from ArcGIS Server requires the use of Python. If you are working with ArcGIS Server on Windows or Linux, you can access the appropriate Python 3 environment by using the python.exe which is included with the framework/runtime components of ArcGIS Server. Additionally, on Windows a script batch file is available to launch the Python 3 environment.

To perform the upgrade, create a script using this example Python syntax, and name the script upgrade_gdb.py.


import arcpy
Connection_File_Name_full_path="C:\\temp\\sysadmin_connection.sde"
arcpy.UpgradeGDB_management(Connection_File_Name_full_path, "PREREQUISITE_CHECK", "UPGRADE")

 

On Windows, run the upgrade script explicitly using the Python 3 environment. If ArcGIS Server is installed to the default location, the script can be executed with either of the following commands:

"C:\Program Files\ArcGIS\Server\framework\runtime\ArcGIS\bin\Python\scripts\propy.bat" C:\temp\upgrade_gdb.py

Or

"C:\Program Files\ArcGIS\Server\framework\runtime\ArcGIS\bin\Python\envs\arcgispro-py3\python.exe" C:\temp\upgrade_gdb.py

 

On Linux, launch the Python 3 environment using the following commands:

source /<arcgis_server_installation_directory>/arcgis/server/framework/etc/arcenv
unset LD_PRELOAD
unset CONDA_DEFAULT_ENV

And then execute the upgrade script with the following command:

wine "Z:\<arcgis_server_installation_directory>\arcgis\server\framework\runtime\ArcGIS\bin\Python\envs\arcgispro-py3\python.exe" <path_To>\upgrade_gdb.py

 

Uninstalling this patch on Windows

To uninstall this patch on Windows, open the Windows Control Panel and navigate to installed programs. Make sure that "View installed updates" (upper left side of the Programs and Features dialog) is active. Select the patch name from the programs list and click Uninstall to remove the patch.

Uninstalling this patch on Linux

Navigate to the <Product Installation Directory>/.Setup/qfe directory and run the following script as the ArcGIS Install owner:

./removepatch.sh


The removepatch.sh script allows you to uninstall previously installed patches or hot fixes. Use the -s status flag to get the list of installed patches or hot fixes ordered by date. Use the -q flag to remove patches or hot fixes in reverse chronological order by date they were installed. Type removepatch -h for usage help.

Restart your ArcGIS services.

How to identify which ArcGIS products are installed

To determine which ArcGIS products are installed, choose the appropriate version of the PatchFinder utility for your environment and run it from your local machine. PatchFinder will list all products, hot fixes, and patches installed on your local machine.

PatchFinder for Windows

PatchFinder for Linux/Unix

Get help from ArcGIS experts

Contact technical support

Download the Esri Support App

Go to download options