English

ArcGIS Server Map and Feature Service Security Patch

Summary

This security patch addresses a security vulnerability found in ArcGIS Server map and feature services. Esri recommends that all customers using ArcGIS Server 10.8.1, 10.7.1, and 10.6.1 apply this patch.

Description

Esri® announces the ArcGIS Server Map and Feature Service Security Patch. Esri recommends that all customers using ArcGIS Server 10.8.1, 10.7.1, and 10.6.1 apply this patch. This patch deals specifically with the issues listed below under Issues Addressed with this patch.


Issues Addressed with this patch


To avoid conflicts at 10.8.1 these isues are also addressed:
  • BUG-000137139 - Optimize UpdateAssociationInfo function by splitting the query to discover from/toglobalid associations
  • BUG-000136979 - Validate Network Topology incorrectly allocating large amounts of memory impacting server soc mem usage
  • BUG-000136892 - When a -1 is returned to ArcGIS Pro the conflict resolution dialog is unable to properly present the conflicts
  • BUG-000136296 - Long running reconciles may block users from editing Default or reconciling other versions with Branch Versioning.
  • BUG-000135328 - Reconcile fails on a branch version and returns the error message, "A row with this OID already exists."
  • BUG-000135117 - Updating the subnetwork on a geographic coordinate system (GCS) spatial reference utility network fails the second time for short lines.
  • BUG-000134954 - Reconciling multiple versions in the utility network using the Reconcile Versions tool crashes the ArcSOC.exe instance.
  • BUG-000134950 - Crash occurs when reconcile is executed while a related destination table was not registered as versioned
  • BUG-000134496 - Using the 'Reconcile Versions' tool and leaving the 'Abort if conflicts detected' parameter unchecked, the session is still aborting the reconcile.
  • BUG-000133698 - Enabling the topology with the 'Only generate errors' option does not clean the dirty areas of the error.
  • BUG-000132887 - The electric subnet lines and electric lines do not overlap when the UN is in a GCS of 'GDA2020'.
To avoid conflicts at 10.6.1 these issues are also addressed:
  • BUG-000137702 - Addresses a crash in ArcGIS when working with PMF files
  • BUG-000132034 - In Portal for ArcGIS, when the name of the attachment file is Japanese, an attached file is unable to open but can be downloaded.
  • BUG-000131010 - The Find command in ArcGIS Desktop and ArcGIS Servers REST endpoint takes exponentially longer to execute from 10.6.0 to 10.6.1.
  • BUG-000130724 - The Con method of the Spatial Analyst component RasterConditionalOp fails with error unexpectedly when called in a pre-10 syntax.
  • BUG-000128883 - The Register with Geodatabase geoprocessing tool loads and operates slowly in ArcMap when registering large spatial tables or views with an enterprise geodatabase.
  • BUG-000128381 - One-way replica synchronization fails with error: 'Synchronize Replica Failed [<schema>.<featureclass>] Table not registered [PEA.GDB_TEMP_USER_IDS]'.
  • BUG-000128060 - ArcGIS Server has a Server Side Request Forgery (SSRF) security vulnerability.
  • BUG-000126701 - Hosted services fail to restore if their associated view is alphabetically listed after the hosted service.
  • BUG-000126173 - GeoAnalytics Server doesn't support connections to Hadoop with Kerberos authentication when Hadoop's hadoop.rpc.protection property is set to "privacy" or "integrity".
  • BUG-000125044 - Hosted feature service has a stored cross-site scripting (XSS) vulnerability.
  • BUG-000124827 - On a multiple-machine ArcGIS Server site that has one or more cached map services that have been consumed through ArcMap or a SOAP client, publishing a service or stopping/starting a service causes all services on the machines to restart.
  • BUG-000124386 - Correct the order of operations during importSite.
  • BUG-000124326 - Renaming an SDO_Geometry feature class fails on Oracle 19c.
  • BUG-000124325 - Create Spatial Type fails on Oracle 19c.
  • BUG-000124079 - Running block adjustment on imagery collection the second time may fail with missing default elevation value.
  • BUG-000123103 - ArcGIS Server improperly handles an incorrect CORS origin.
  • BUG-000122408 - A custom certificate for the server of the web server is not maintained when restoring a webgisdr backup.
  • BUG-000122285 - ArcGIS Enterprise 3D scene services deliver poor throughput and do not scale well across multiple GIS nodes.
  • BUG-000121595 - Occasional/Intermittent site creation and create service/Delete service issue with Server.
  • BUG-000120805 - ArcGIS Server has an access control issue.
  • BUG-000120195 - Failed to restore hosted services containing associated views.
  • BUG-000119801 - Sample fails when more than one mosaic datasets are input as input rasters.
  • BUG-000119759 - Improve the quality and performance of the Sample tool.
  • BUG-000119534 - Path Allocation produces incorrect results when the source characteristics are specified.
  • BUG-000119493 - Sink tool creates two unique values for sink regions that are diagonally connected. This is incorrect as diagonally connected sinks should be identified with a single unique value.
  • BUG-000119425 - The SummarizeRasterWithin and ConvertRasterToFeature tasks in ArcGIS Image Server crashes when trying to directly read an input image service collocated on a cloud raster store.
  • BUG-000119424 - Zonal Geometry as Table and Zonal Geometry tools generate incorrect results when a field other than value was used. In this case, the logic for calculating zonal geometry properties is not correct, and the software may crash.
  • BUG-000119423 - Watershed tool hangs when processing extent is set to a single cell catchment.
  • BUG-000119422 - Flow distance tool in modelbuilder does not display 'FlowDistanceType' parameter.
  • BUG-000119421 - Flow Distance tool produces NoData for majority of cells when input surface raster is not hydro conditioned.
  • BUG-000119419 - Euclidean Direction using high resolution data produces incorrect output.
  • BUG-000119323 - RasterToPolygon with "Create multipart features" enabled, locks the output for editing.
  • BUG-000119030 - Querying or selecting from a compressed file geodatabase over eight times in ArcGIS Desktop 10.6.1 is slower than in ArcGIS Desktop 10.5.1.
  • BUG-000118421 - If there are non-English characters in a connection string, the Copy Raster tool will return this error when importing a raster in an enterprise geodatabase, "ERROR 999999: Error executing function. No raster store is configured. Not running inside a server process. Failed to execute (CopyRaster).''
  • BUG-000118138 - ArcGIS Double fields with precision = 10 and scale = 0 in an Oracle geodatabase are altered automatically to Long Integer after previewing in ArcGIS 10.6.1/ArcGIS Pro 2.2 or later clients. An error is returned, "[ORA-01455: converting columns overflows integer datatype]" if the fields contain numbers larger than the maximum for a Long Integer (2,147,483,647).
  • BUG-000117983 - Access control issue in the ArcGIS Server tile handler.
  • BUG-000117954 - Scene service should ignore certificate errors while consuming scene caches in scene viewer.
  • BUG-000117633 - In 10.6.1 and prior, the message bus platform service may not be initialized correctly in all environments.
  • BUG-000117372 - Cross-site scripting (XSS) in Server Admin api.
  • BUG-000116972 - Collector for ArcGIS (iOS) fails to submit photo attachments to hosted feature layers in ArcGIS Enterprise 10.6.1.
  • BUG-000116939 - Within ArcMap 10.6.1, the 'Find' & 'Find Route' Tools initialize slowly; cause AppHang exceptions in severe cases.
  • BUG-000116614 - The related table returns an incorrect selection result when more than 99 records are selected in the feature class involved in a relationship class.
  • BUG-000116589 - Cost Path and Cost Path as Polyline with flow direction input for backlink raster is slow.
  • BUG-000116047 - Cost Path produces incorrect output when Flow Direction raster is used as input for distance and backlink raster.
  • BUG-000115799 - Vector Tile Layers hosted in ArcGIS Enterprise 10.6.1 do not overzoom successfully when viewed in the Map Viewer.
  • BUG-000115304 - In multiple ArcGIS Server machine sites, the ImportSite operation modifies the server machine property options pertaining to HTTPS on machines other than the one running the Importsite.
  • BUG-000115147 - When calling ITopologicalOperator::Buffer on a polygon, if the polygon is degenerated to a point, the buffer call crashes.
  • BUG-000115103 - ArcGIS Desktop crashes on importing changes when run on specific data.
  • BUG-000113368 - Euclidean allocation, distance and direction tools are much slower in current version verses previous version of ArcMap.
  • BUG-000113339 - The ArcGIS Server 10.6 (or 10.7.1) export site operation returns the error message, "Export operation failed. null" within Amazon Web Services (AWS) on Microsoft Windows and Linux (or Azure).
  • BUG-000112999 - The Export to CAD tool in ArcGIS Desktop 10.6 does not create blocks in the output DWG file. This worked successfully with data provided in version 10.5.1.
  • BUG-000111075 - A feature service consumed in a GeoEvent Service fails to re-establish communication with the database once the database connection comes back after a communication failure.
  • BUG-000111075 - Service recycling after a DB connection failure does not happen for Feature Server.
  • BUG-000098315 - Sample return Null data, when input raster is Mosaic.
  • BUG-000096996 - ExtractMultiValuestoPoints, ExtractValuestoPoints returns error when the input points feature is a XY Event Layer.
  • BUG-000089296 - Feature service attachments in ArcGIS GIS Server are downloaded in Mozilla Firefox and Google Chrome web browsers, instead of being opened in a new browser tab or window.
  • BUG-000088196 - The Find tool prompts to log in to an ArcGIS Online subscription account even when not using any Ready-To-Use Services.

Installing this patch on Windows


Installation Steps:


This patch should be installed on all ArcGIS Server installations related to the ArcGIS Server site.

The ArcGIS product listed in the table must be installed on your system before you can install a patch. Each patch setup is specific to the ArcGIS product in the list. To determine which products are installed on your system, please see the How to identify which ArcGIS products are installed section. Esri recommends that you install the patch for each product that is on your system.

  1. Download the appropriate file to a location other than your ArcGIS installation location.

  2. ArcGIS 10.8.1  
       
         ArcGIS Server ArcGIS-1081-S-MFSS-Patch.msp
         Checksum
         (SHA256)
    8EABA2689F3A3B14895BA0E7641F7E037E9600DC80AE2097E328718496CD4C39
       
    ArcGIS 10.7.1  
       
         ArcGIS Server ArcGIS-1071-S-MFSS-Patch.msp
         Checksum
         (SHA256)
    BA0E9962DC81F02E1A29B6D4542D3AF589B24011F0D2DF112B25ABC85AB7D9E2
       
    ArcGIS 10.6.1  
       
         ArcGIS Server ArcGIS-1061-S-MFSS-Patch.msp
         Checksum
         (SHA256)
    57663F987960238CF1456EAACDCFD10558588EE0B0FD4C6850401C379BF577A3
       

  3. Make sure you have write access to your ArcGIS installation location.

  4. Double-click ArcGIS-1081-S-MFSS-Patch.msp to start the setup process.

    NOTE: If double clicking on the MSP file does not start the setup installation, you can start the setup installation manually by using the following command:

    msiexec.exe /p [location of Patch]\ArcGIS-1081-S-MFSS-Patch.msp


Installing this patch on Linux


Installation Steps:


Complete the following install steps as the ArcGIS Install owner. The Install owner is the owner of the arcgis folder. This patch should be installed on all ArcGIS Server installations related to the ArcGIS Server site.

The ArcGIS product listed in the table must be installed on your system before you can install a patch. Each patch setup is specific to the ArcGIS product in the list. To determine which products are installed on your system, please see the How to identify which ArcGIS products are installed section. Esri recommends that you install the patch for each product that is on your system.

  1. Download the appropriate file to a location other than your ArcGIS installation location.


    ArcGIS 10.8.1  
       
         ArcGIS Server ArcGIS-1081-S-MFSS-Patch-linux.tar
         Checksum
         (SHA256)
    57B93163582C355B77B18282074DA4071F1B4C792D6D6896A53C7EA86250E0D2
       
    ArcGIS 10.7.1  
       
         ArcGIS Server ArcGIS-1071-S-MFSS-Patch-linux.tar
         Checksum
         (SHA256)
    924E5E49E9E7ED41F7A7415653BF82D83BFEC694B28035088D156B6ABD683B2A
       
    ArcGIS 10.6.1  
       
         ArcGIS Server ArcGIS-1061-S-MFSS-Patch-linux.tar
         Checksum
         (SHA256)
    9245F36DB544DA62ECC4A18BFCE73FAFCB49D1929EB1026E7CE837EC4CDA4FDA
       

  2. Make sure you have write access to your ArcGIS installation location, and that no one is using ArcGIS.

  3. Extract the specified tar file by typing:

    % tar -xvf ArcGIS-1081-S-MFSS-Patch-linux.tar

  4. Start the installation by typing:

    % ./applypatch

    This will start the dialog for the menu-driven installation procedure. Default selections are noted in parentheses ( ). To quit the installation procedure, type 'q' at any time.

Uninstalling this patch on Windows


To uninstall this patch on Windows, open the Windows Control Panel and navigate to installed programs. Make sure that "View installed updates" (upper left side of the Programs and Features dialog) is active. Select the patch name from the programs list and click Uninstall to remove the patch.

Uninstalling this patch on Linux


To remove this patch on versions 10.7 and higher, navigate to the <Product Installation Directory>/.Setup/qfe directory and run the following script as the ArcGIS Install owner:



./removepatch.sh

The removepatch.sh script allows you to uninstall previously installed patches or hot fixes. Use the -s status flag to get the list of installed patches or hot fixes ordered by date. Use the -q flag to remove patches or hot fixes in reverse chronological order by date they were installed. Type removepatch -h for usage help.

Restart your ArcGIS services.



Patch Updates

Check the Patches and Service Packs page periodically for the availability of additional patches. New information about this patch will be posted here.

How to identify which ArcGIS products are installed

To determine which ArcGIS products are installed, choose the appropriate version of the PatchFinder utility for your environment and run it from your local machine. PatchFinder will list all products, hot fixes, and patches installed on your local machine.

Getting Help

Domestic sites, please contact Esri Technical Support at 1-888-377-4575, if you have any difficulty installing this patch. International sites, please contact your local Esri software distributor.