Patches and updates
ArcGIS 10.2 for Server Security Patch (September 2013)
Summary
Description
EsriĀ® announces the ArcGIS 10.2 for Server Security Patch (September 2013). This patch addresses a persistent cross-site scripting vulnerability that requires administrative access in order to exploit. For further details please read the knowledge base article 41468.
This patch also addresses a vulnerability that allows authenticated administrators to upload any type of file including potentially unsafe files.
This patch also provides a new security option for administrators. ArcGIS for Server allows tokens to be acquired through HTTP GET requests. This patch provides a new option to only grant tokens when an HTTP POST is used. HTTP GET requests expose credentials in the request URL in plain text format which may be stored in browser history or in network components. To learn more about this feature and how to activate it, please see the following help topics:
- Disabling token acquisition through HTTP GET requests (Windows)
- Disabling token acquisition through HTTP GET requests (Linux)
Finally the patch addresses a SQL-injection vulnerability that affects ArcGIS for Server deployments with relational databases such as SQL Server, Oracle, PostgreSQL, DB2, or Informix. The SQL-injection vulnerability allows unauthorized modification of data. It deals specifically with the issues listed below under Issues Addressed with this Patch.
Issues Addressed with this Patch
- NIM092795 - The File Upload Filter for mobile content directories should block an upload of unwanted file types.
- NIM092820 - The Mobile Content Directory in ArcGIS Server 10.1 SP1 has persistent cross site scripting vulnerabilities.
- NIM092841 - Add a configurable property to the ArcGIS token service that disables support for HTTP GET.
- NIM094447 - There is a SQL injection vulnerability in map and feature services that allows unauthorized modification of data.
- NIM094481 - When StandardizedQueries is True, a map service's query operation ignores the definition expression set on the layer in the source map document when outStatistics gets used.
- NIM097252 - Asking for the extent of a 10.x fileGDB or SDE feature class after copy and paste returns none even if features exist.
Files Installed with this Patch
- BasemapLayer.dll
FileGDB.dll
GdbCore.dll
GdbCoreLib.dll
GdbNetwork.dll
KmlConverterX.dll
MappingCoreLib.dll
MappingServicesLib.dll
MapServerX.dll
OleFDB.dll
sde.dll
SdeFDB.dll
- arcgis-admin.jar
arcgis-mcs-framework.jar
arcgis-resources.jar
arcgis-securitylib.jar
- arcgis#mobile
- arcgis-securitylib.jar
- arcgis-securitylib.jar
- arcgis-securitylib.jar
- arcgis-securitylib.jar
Installing this Patch on Windows
Installation Notes:
System Administrators: A technical paper is available that discusses the enterprise deployment of ArcGIS 10.2 setups using Microsoft Systems Management Server (SMS), System Center Configuration Manager (SCCM), and Group Policy, including additional system requirements, suggestions, known issues, and Microsoft Software Installation (MSI) command line parameters. Deployment in a lockdown environment is also covered. ArcGIS 10.2 Enterprise Deployment.
Installation Steps:
ArcGIS 10.2 for Server must be installed before you can install this patch.
- Download the appropriate file to a location other than your ArcGIS installation location.
Checksum (Md5) ArcGIS for Server ArcGIS-102-S-SSEC-PatchB.msp 54A87BFCD807F6E8E4965D9DAA7C0C8B - Make sure you have write access to your ArcGIS installation location.
- Double-click ArcGIS-102-S-SSEC-PatchB.msp to start the install process.
NOTE: If double clicking on the MSP file does not start the setup installation, you can start the setup installation manually by using the following command:
msiexec.exe /p [location of Patch]\ArcGIS-102-S-SSEC-PatchB.msp
Installing this Patch on Linux
Installation Notes:
System Administrators: A technical paper is available that discusses the enterprise deployment of ArcGIS 10.2 setups using Microsoft Systems Management Server (SMS), System Center Configuration Manager (SCCM), and Group Policy, including additional system requirements, suggestions, known issues, and Microsoft Software Installation (MSI) command line parameters. Deployment in a lockdown environment is also covered. ArcGIS 10.2 Enterprise Deployment.
Installation Steps:
Complete the following install steps as the ArcGIS Install owner. The Install owner is the owner of the arcgis folder.
ArcGIS 10.2 for Server must be installed before you can install this patch.
- Download the appropriate file to a location other than your ArcGIS installation location.
Checksum (md5) ArcGIS Server ArcGIS-102-S-SSEC-PatchB-lx.tar A63194EF54AB9F46FAB865C3D38C71F7 - Make sure you have write access to your ArcGIS installation location, and that no one is using ArcGIS.
- Extract the specified tar file by typing:
% tar -xvf ArcGIS-102-S-SSEC-PatchB-lx.tar - Start the Installation by typing:
% ./applypatch
This will start the dialog for the menu-driven setup procedure. Default selections are noted in parentheses ( ). To quit the setup procedure, type 'q' at any time.
Patch Updates
Check the Patches and Service Packs page periodically for the availability of additional patches. New information about this patch will be posted here.
How to identify which ArcGIS products are installed
To determine which ArcGIS products are installed, choose the appropriate version of the PatchFinder utility for your environment and run it from your local machine. PatchFinder will list all products, hot fixes, and patches installed on your local machine.
- PatchFinder for Windows
- PatchFinder for Unix/Linux
Getting Help
Domestic sites, please contact Esri Technical Support at 1-888-377-4575, if you have any difficulty installing this patch. International sites, please contact your local Esri software distributor.
Download ID:2009
Get help from ArcGIS experts
Download the Esri Support App