ArcGIS 10.1 SP1, 10.2.1, and 10.2.2 Web Adaptor for IIS Security (August 2014) Patch
Esri recommends the installation of this security patch for the web adaptor for IIS versions 10.1 - 10.2.2. This patch addresses serious security vulnerabilities in the web adaptor for IIS (the web adaptor for the Java platform is not affected by these vulnerabilities). This patch is specifically for the versions 10.1 SP 1, 10.2.1 or 10.2.2. Customers who are using 10.1 or 10.2 should apply 10.1 Service Pack 1 or 10.2.2 first.Description
- Issues Addressed with this patch
- Installing this patch on Windows
- Patch Updates
- How to identify which ArcGIS products are installed
- Getting Help
Esri® announces the ArcGIS 10.1 SP1, 10.2.1, and 10.2.2 Web Adaptor for IIS Security (August 2014) Patch. This patch addresses two serious security vulnerabilities in the web adaptor. All installations of the Web Adaptor for IIS 10.1 through 10.2.2 are affected. This patch needs to be applied on the latest security baselines for each version (10.1 SP1 and 10.2.2). Please apply the appropriate service pack (10.1 SP1 or 10.2.2) first before applying the patch if not at the latest security baseline. This patch deals specifically with the issues listed below under Issues Addressed with this Patch.
- NIM102891 - ArcGIS Web Adaptor on IIS does not enforce authorization on a restricted URL.
- NIM102631 - Web Adaptor on IIS contains a cross-site scripting (XSS) vulnerability.
Please see Knowledge Base - Technical Article 41548 for more information.
ArcGIS Web Adaptor for IIS must be installed before installing this patch.
- Download the appropriate file for your environment to a location other than your ArcGIS installation location.
- Make sure you have write access to your ArcGIS installation location.
- Double-click the appropriate setup to start the setup process.
NOTE: If double clicking on the MSP file does not start the setup installation, you can start the setup installation manually by using the following command:
msiexec.exe /p [location of Patch]\ArcGIS-<Version>-<Product>-SEC-Patch.msp
|Version 10.1 Service Pack 1||Checksum (Md5)|
|ArcGIS Web Adaptor||ArcGIS-101SP1-WAI-SEC-Patch.msp||53FE342B1096CE3DBE4C94AC16C4B139|
|Version 10.2.1||Checksum (Md5)|
|ArcGIS Web Adaptor||ArcGIS-1021-WAI-SEC-Patch.msp||0FF0E84950C4DC70739BC08DEB9DCE5A|
|Version 10.2.2||Checksum (Md5)|
|ArcGIS Web Adaptor||ArcGIS-1022-WAI-SEC-Patch.msp||E0F9AD5A8542E791415F7F3006D395CF|
While installing the patch, IIS will be restarted and resources accessed through the Web Adaptor will be temporarily unavailable.
If a machine has multiple IIS Web Adaptors installed on it, launching the patch will trigger the installation wizard to run once for all the Installed Web Adaptors.
After applying the patch to a Web Adaptor, you may choose to install additional Web Adaptors. Installing additional Web Adaptors will require applying the patch again. Until the patch is applied again, opening the configuration page for a new Web Adaptor will fail with an IIS error.
After applying the patch, you do not need to open the configuration page to register the Web Adaptor again.
Check the Patches and Service Packs page periodically for the availability of additional patches. New information about this patch will be posted here.
September 2, 2014: A link to Knowledge Base - Technical Article 41548 has been added.
October 2, 2014: Additional installation notes added.
To determine which ArcGIS products are installed, choose the appropriate version of the PatchFinder utility for your environment and run it from your local machine. PatchFinder will list all products, hot fixes, and patches installed on your local machine.
Domestic sites, please contact Esri Technical Support at 1-888-377-4575, if you have any difficulty installing this patch. International sites, please contact your local Esri software distributor.