ArcGIS Server Security 2025 Update 1 Patch

Esri announces the ArcGIS Server Security 2025 Update 1 Patch. Esri recommends that all customers using ArcGIS Server 11.3, 11.2, 11.1, and 10.9.1 apply this patch. Security and non-security related defects are included with this patch. This patch deals specifically with the issues listed below under Issues Addressed with this Patch.

This patch can be uninstalled as outlined in the Uninstalling this patch on Windows and Uninstalling this patch on Linux sections below. Additionally, Esri recommends developing a rollback plan before installing patches. For those utilizing a highly available environment, refer to the help topic on how to apply patches in a highly available environment for guidance.

• BUG-000172305 - Stored XSS in ArcGIS Server Administrator Directory (11.2, 11.1, 10.9.1)
• BUG-000172304 - Stored XSS in ArcGIS Server Rest services
• BUG-000172303 - Stored XSS in ArcGIS Server Rest services
• BUG-000172302 - Stored XSS in ArcGIS Server Rest services
• BUG-000172301 - Stored XSS in ArcGIS Server Administrator Directory
• BUG-000172300 - Stored XSS in ArcGIS Server Rest services
• BUG-000172299 - Stored XSS in ArcGIS Server Rest services
• BUG-000172298 - Stored XSS in ArcGIS Server Rest services
• BUG-000172297 - Stored XSS in ArcGIS Server Rest services
• BUG-000172296 - Stored XSS in ArcGIS Server Administrator Directory
• BUG-000172295 - Stored XSS in ArcGIS Server Rest services
• BUG-000172294 - Stored XSS in ArcGIS Server Administrator Directory
• BUG-000172293 - Stored XSS issue in ArcGIS Server Manager (11.2, 11.1, 10.9.1)
• BUG-000172291 - Stored XSS in ArcGIS Server Administrator Directory (11.2, 11.1, 10.9.1)
• BUG-000172290 - Directory traversal vulnerability in ArcGIS Server (11.2, 11.1, 10.9.1)
• BUG-000172289 - Stored XSS vulnerability in ArcGIS Rest Services Directory (11.2, 11.1, 10.9.1)
• BUG-000172287 - Stored XSS in ArcGIS Server Administrator Directory
• BUG-000171805 - In a stand-alone ArcGIS Server deployment, custom data feeds for feature services cannot be secured. (11.3, 11.2, 11.1)
• BUG-000171492 - The pipe character operator in a regular expression does not return features when filtering hosted feature services using the spatiotemporal big data store. (11.2)
• BUG-000171445 - Directory traversal vulnerability in ArcGIS Server
• BUG-000171444 - SQL injection vulnerability in ArcGIS Server
• BUG-000171443 - Local file inclusion (LFI) vulnerability in ArcGIS Server
• BUG-000171441 - Stored XSS in ArcGIS Server Manager
• BUG-000171439 - Stored XSS in ArcGIS Server Administrator Directory
• BUG-000171436 - Stored XSS vulnerability in ArcGIS Server Rest services
• BUG-000171435 - Unauthorized access to secure services in ArcGIS Server (11.3, 11.2, 11.1)
• BUG-000171366 - The applyEdits operations do not execute pending the completion of concurrent append operations. (11.3, 11.2, 11.1)
• BUG-000171365 - Inconsistent maxFieldNameLength service property value after adding the first layer to the service. (11.3)
• BUG-000171364 - Update definition call fails with a database error when adding a DateOnly or TimeOnly field to a layer template. (11.3)
• BUG-000169392 - Adding new features with text field value left bracket (<) followed by an alphabet to the feature service fails when the 'rollbackOnFailure' option is false, ultimately leading to corruption of the system-maintained i-table. (11.3, 11.2, 11.1)
• BUG-000168963 - Database connection strings inside of ArcGIS Server's dsconnections.lst files may become damaged when validating data store connections in ArcGIS Server. (11.3)
• BUG-000167757 - Downloading PDF attachments larger than 5 MB fails when ArcGIS Server is installed on Linux. (11.2)
• BUG-000165095 - The generateToken request references a relative path sequence in the serverUrl parameter
• BUG-000114507 - Portal for ArcGIS creates duplicate items upon overwriting an existing service in a federated server, failing due to inaccessibility of data. (10.9.1)

To avoid conflicts the 11.3 version also addresses:

• BUG-000151001 - Intermittently, when opening a web application containing several services in ArcGIS Enterprise, one of the included feature services prompts for authentication, despite being shared publicly.

To avoid conflicts the 11.2 version also addresses:

• BUG-000162310 - Creating an entity or relationship types occasionally fails without any error messages.

To avoid conflicts the 11.1 version also addresses:

• BUG-000163353 - Hosted feature service stores incorrectly self-intersecting polylines as multi-part polylines.
• BUG-000162858 - Restore of Workflow Manager Server hosted services using the WebGISDR tool fails to retain _views_ services due to issue in service creation.
• BUG-000161319 - Vector tile layers sometimes display incomplete or blank tiles at certain scale levels.
• BUG-000161218 - Long running geoprocessing jobs may fail due to premature token expiration.
• BUG-000160408 - Incorrect encoding of special characters in the ArcGIS Data Store 11.1 spatiotemporal data stores.
• BUG-000160218 - Incorrect mapping of the ArcGIS data type 'Date' for hosted knowledge graphs.
• BUG-000160039 - An error "Insufficient number of object IDs allocated" occurs while editing a hosted feature service.
• BUG-000158883 - Metadata for sublayers of a hosted or non-hosted feature layer in Portal for ArcGIS returns an error, "Error transforming metadata for the layer Code: 400".
• BUG-000158047 - When making multiple requests to a map service with the returnAdvancedSymbols property being true, non-ASCII-characters are incorrectly encoded in responses after the initial request.
• BUG-000158045 - The feature service layer resources with 'returnAdvancedSymbols=true' and 'returnDomainNames=true' have inconsistent responses.
• BUG-000158036 - Non-English characters are not displayed properly in custom data feed feature service responses.
• BUG-000154221 - After installing the ArcGIS Server Security 2022 Update 1 or 2 Patch, the KML region URL of a map service is invalid.
• BUG-000147597 - ArcGIS Enterprise hosted services may fail after a machine restart.

To avoid conflicts the 10.9.1 version also addresses:

• BUG-000169789 - The failure to replace the layer causes the production layer item to become unusable because the vector tile service has been deleted.
• BUG-000168963 - Database connection strings inside of ArcGIS Server's dsconnections.lst files may become damaged when validating data store connections in ArcGIS Server.
• BUG-000166445 - Attempts to register additional machines during the import site can fail with an 'Admin URL unreachable' exception.
• BUG-000165622 - The replace layer operation fails intermittently.
• BUG-000165535 - Creating ArcGIS Server backups may fail if there are ongoing geoprocessing services or other types of asynchronous jobs.
• BUG-000165312 - ArcGIS Server backup.py and restore.py does not restore Active Directory users' roles if they are assigned built-in roles.
• BUG-000161866 - Joining machines back to site during importSite fails due to HTTPS connection refused.
• BUG-000161218 - Long running geoprocessing tasks may fail due to premature token expiration.
• BUG-000158075 - Feature service attachments should allow users to choose which attachment extensions are allowed in the organization.
• BUG-000158047 - When making multiple requests to a map service with the returnAdvancedSymbols property being true, non-ASCII-characters are incorrectly encoded in responses after the initial request.
• BUG-000157995 - On Linux, the restore of the relational data store may not complete if the ArcGIS Server site its registered to is HA.
• BUG-000156962 - When importing a backup to ArcGIS Server, the web server may restart causing the restore operation to fail.
• BUG-000155043 - The append operation on an editor tracking enabled layer updates a created user field with the editing user, when 'upsert=true' and 'skipInserts=true'.
• BUG-000154221 - After installing the ArcGIS Server Security 2022 Update 1 or 2 Patch, the KML region URL of a map service is invalid.
• BUG-000154194 - Service creation in a single folder can cause failure to create services on high specification machines in an ArcGIS Server site.
• BUG-000154070 - Stored XSS issue in the ArcGIS REST Services directory.
• BUG-000153493 - Installing ArcGIS Server Security 2022 Update 1 Patch or Update 2 Patch on ArcGIS Server 10.8.1 affects the access to existing Workflow Manager (Classic) feature services.
• BUG-000153438 - ArcGIS Server services folders become inaccessible in the REST endpoint if it has a dot (.) in the name and the Security patches are installed.
• BUG-000152562 - Slow performance when loading ArcGIS Server feature service with returnAdvancedSymbols parameter in the request URL.
• BUG-000152121 - Directory traversal vulnerability in ArcGIS Server.
• BUG-000152111 - Mobile workers should not be able to query or edit assignments not assigned to them when accessing the assignments feature service outside of the Workforce mobile app.
• BUG-000151727 - WMTS-Capabilities file cannot be retrieved after installation of the ArcGIS Server Security 2022 Update 1 Patch.
• BUG-000151381 - Members assigned roles without the edit privilege are unable to edit publicly shared hosted feature layers that have editing, edit tracking and public data collection enabled.
• BUG-000150540 - Reflected XSS vulnerability in ArcGIS Server.
• BUG-000150537 - ArcGIS Server has a local file inclusion (LFI) vulnerability.
• BUG-000148347 - Unvalidated redirect issue in ArcGIS Server.
• BUG-000148146 - Applying the ArcGIS Server Log4j Patch on an AWS (Amazon Web Services) deployment may cause a machine to be removed from the ArcGIS Server site.
• BUG-000147840 - The Search GET response from an ArcGIS Knowledge Server displays "compressed_frames == true" even though the frames are not compressed.
• BUG-000147597 - Upgrading a base ArcGIS Enterprise deployment causes hosted services to fail intermittently after a machine reboot.
• BUG-000147017 - Incorrect statistics for a hosted feature layer in ArcGIS Enterprise 10.9.1.
• BUG-000146564 - Querying a hosted feature service with the returnIdsOnly=true parameter to return several million features, permanently loads the CPU of the hosting GIS server to 100% and makes it inaccessible until restarting the service.
• BUG-000146513 - Reflected XSS vulnerability in ArcGIS Server.
• BUG-000145681 - Create service fails when the knowledge server does not include GIS Server license.
• BUG-000145551 - Attempting to display a hosted feature layer in Portal for ArcGIS 10.9.1 after a transformation configuration from WGS 1984 to ITM fails.
• BUG-000145345 - Update log4j to address security vulnerabilities
• BUG-000144906 - Unable to save a generated domain list or delete an existing domain list in Portal for ArcGIS 10.9.1.
• BUG-000144441 - Renaming a machine after create site fails.
• BUG-000144172 - Remote file download issue in ArcGIS Server.
• BUG-000133297 - The size of the server.xml file keeps changing after restarting the ArcGIS Server service.
• BUG-000128912 - The usage report in the ArcGIS Server statistics does not generate an accurate result as it shows the value 2147483647 if instances in use reach the max instance under the ServiceRunningInstancesMax metric.

On Windows, the release date order of the patches does not matter when installing multiple patches. If an older patch is installed after a newer patch, the newer patch takes precedence and the fixes from the newer patch will remain. The ArcGIS Enterprise Patch Notification tool, when the option to install all available patches is activated, installs multiple patches in order of release date starting with oldest to newest.

The ArcGIS product listed in the table must be installed on your system before you can install a patch. Each patch setup is specific to the ArcGIS product in the list. To determine which products are installed on your system, please see the How to identify which ArcGIS products are installed section. Esri recommends that you install the patch for each product that is on your system.
 

Step 1: Download the appropriate file to a location other than your ArcGIS installation location.

Step 2: Make sure you have write access to your ArcGIS installation location.

Step 3: Double-click ArcGIS-S-<Version>-SEC2025U1-Patch.msp to start the setup process.

NOTE: If double clicking on the MSP file does not start the setup installation, you can start the setup installation manually by using the following command:

On Linux, the release date order of the patches matters when installing multiple patches. If an older patch is installed after a newer patch, the older patch will replace the newer patch and the fixes in the newer patch will be removed. The ArcGIS Enterprise Patch Notification tool, when the option to install all available patches is activated, installs multiple patches in order of release date starting with oldest to newest.

Complete the following install steps as the ArcGIS Install owner. The Install owner is the owner of the arcgis folder. This patch should be installed on all ArcGIS Server installations related to the ArcGIS Server site.

The ArcGIS product listed in the table must be installed on your system before you can install a patch. Each patch setup is specific to the ArcGIS product in the list. To determine which products are installed on your system, please see the How to identify which ArcGIS products are installed section. Esri recommends that you install the patch for each product that is on your system.

Step 1: Download the appropriate file to a location other than your ArcGIS installation location.

Step 2: Make sure you have write access to your ArcGIS installation location, and that no one is using ArcGIS.

Step 3: Extract the specified tar file by typing:

Step 4: Start the installation by typing:

This will start the dialog for the menu-driven installation procedure. Default selections are noted in parentheses ( ). To quit the installation procedure, type 'q' at any time.

To uninstall this patch on Windows, open the Windows Control Panel and navigate to installed programs. Make sure that "View installed updates" (upper left side of the Programs and Features dialog) is active. Select the patch name from the programs list and click Uninstall to remove the patch.

A Windows restart may be necessary to complete the patch uninstall.

Navigate to the <Product Installation Directory>/.Setup/qfe directory and run the following script as the ArcGIS Install owner:

Restart your ArcGIS services.

To determine which ArcGIS products are installed, choose the appropriate version of the PatchFinder utility for your environment and run it from your local machine. PatchFinder will list all products, hot fixes, and patches installed on your local machine.

PatchFinder for Windows

PatchFinder for Linux/Unix