English

ArcGIS Server Security 2022 Update 1 Patch

Summary

This security patch addresses multiple security vulnerabilities found in ArcGIS Server. Esri recommends that all customers using ArcGIS Server 10.9.1, 10.8.1 and 10.7.1 apply this patch.

Description

Important Note September 1, 2022: The 10.9.1, 10.8.1 and 10.7.1 versions of the ArcGIS Server Security 2022 Update 1 have been re-released to address:

    BUG-000151727 - WMTS-Capabilities file cannot be retrieved after installation of the ArcGIS Server Security 2022 Update 1 Patch.

Additionally, the 10.8.1 version of the patch also addressed:

    BUG-000151760 - Cannot create or move existing features in a hosted feature layer after installing the ArcGIS Server 10.8.1 Security 2022 Update 1 Patch.


Esri® announces the ArcGIS Server Security 2022 Update 1 Patch. Esri recommends that all customers using ArcGIS Server 10.9.1, 10.8.1 and 10.7.1 apply this patch. This patch deals specifically with the issue listed below under Issues Addressed with this patch.

Important Note: This security patch is cumulative and includes several security and non-security related fixes from earlier patches that are also listed below under Issues Addressed with this Patch.


Issues Addressed with this patch



To avoid conflicts on 10.9.1 this patch also addresses:
  • BUG-000148146 - Applying the ArcGIS Server Log4j Patch on an AWS (Amazon Web Services) deployment may cause a machine to be removed from the ArcGIS Server site.
  • BUG-000147840 - The Search GET response from an ArcGIS Knowledge Server displays "compressed_frames == true" even though the frames are not compressed.
  • BUG-000146564 - Querying a hosted feature service with the returnIdsOnly=true parameter to return several million features, permanently loads the CPU of the hosting GIS server to 100% and makes it inaccessible until restarting the service.
  • BUG-000145681 - Create service fails when the knowledge server does not include GIS Server license.
  • BUG-000145551 - Attempting to display a hosted feature layer in Portal for ArcGIS 10.9.1 after a transformation configuration from WGS 1984 to ITM fails.
  • BUG-000145345 - Update log4j to address security vulnerabilities
  • BUG-000144441 - Renaming a machine after create site fails.
To avoid conflicts on 10.8.1 this patch also addresses:
  • BUG-000148710 - A hosted feature layer shared from ArcGIS Pro using ArcGIS Pro default datum transformation displays a shift in Portal Map Viewer when using Esri Basemaps as a background map.

    Note: The full resolution of BUG-000148710 requires an additional fix for BUG-000137729 that is included in a separate hot fix available by request through Esri Technical Support.

  • BUG-000148146 - Applying the ArcGIS Server Log4j Patch on an AWS (Amazon Web Services) deployment may cause a machine to be removed from the ArcGIS Server site.
  • BUG-000148087 - Spatiotemporal Hosted Feature Service Views with Query Top Features ignore Object IDs in a GET Request query.
  • BUG-000146428 - Importing an ArcGIS Server site using the webgisdr utility returns a null error.
  • BUG-000145345 - Update log4j to address security vulnerabilities
  • BUG-000145107 - Unable to access secure services in Portal for ArcGIS 10.8.1 when using a token generated using application credentials.
  • BUG-000144252 - Hosted Feature Service Views with Query Top Features (Top Filter parameter) definition ignore Object IDs in a GET Request query.
  • BUG-000142204 - Setting a field invisible in a hosted feature service view needs to hide the field references from the templates.
  • BUG-000142180 - Hosted feature services vulnerable to XSS.
  • BUG-000142120 - SQL injection vulnerability in ArcGIS Server.
  • BUG-000140344 - Unable to display or edit filters for hosted layer views in ArcGIS Enterprise Portal.
  • BUG-000139857 - Remote file inclusion vulnerability in the ArcGIS Server help documentation.
  • BUG-000138234 - The WebGIS DR backup fails when attempting to create a service.
  • BUG-000137668 - Stored XSS vulnerability in ArcGIS Server Services Directory
  • BUG-000137663 - Stored XSS vulnerability in ArcGIS Server
  • BUG-000137662 - Reflected XSS in ArcGIS Server
  • BUG-000137658 - SSRF vulnerability in ArcGIS Server Manager.
  • BUG-000135919 - When an ArcGIS Server site import fails while using the WebGIS DR utility tool due to returning a null error, the site is not returned to a functional state.
  • BUG-000135918 - Importing an ArcGIS Server site using the webgisdr utility returns a null error.
  • BUG-000135563 - If the field name is named with multibyte strings, using the WHERE clause as the query operation with the field fails.
  • BUG-000134113 - Only update service iteminfo when the Item Description fields are purposefully edited within Server Manager.
  • BUG-000133232 - Add support in ArcGIS Server to ensure ArcGIS Enterprise portal members with custom roles are able to delete their own services when the role includes administrative privileges such as 'View all members' and publisher privileges.
  • BUG-000132999 - In a multi-machine ArcGIS Server site, the restore process may not successfully unregister, and re-register the additional nodes.
  • BUG-000131992 - Reflected cross-site scripting (XSS) vulnerability in ArcGIS Server.
  • BUG-000127160 - Error enabling Location Tracking when the configuration store is in the cloud storage.
To avoid conflicts on 10.7.1 this patch also addresses:
  • BUG-000145345 - Update log4j to address security vulnerabilities
  • BUG-000142204 - Setting a field invisible in a hosted feature service view needs to hide the field references from the templates.
  • BUG-000142120 - SQL injection vulnerability in ArcGIS Server.
  • BUG-000139857 - Remote file inclusion vulnerability in the ArcGIS Server help documentation.
  • BUG-000137668 - Stored XSS vulnerability in ArcGIS Server Services Directory
  • BUG-000137663 - Stored XSS vulnerability in ArcGIS Server
  • BUG-000137662 - Reflected XSS in ArcGIS Server
  • BUG-000137658 - SSRF vulnerability in ArcGIS Server Manager.
  • BUG-000132311 - Unable to view service workspace information in Server Manager when the site's config-store is stored in S3/DynamoDB in AWS
  • BUG-000131992 - Reflected cross-site scripting (XSS) vulnerability in ArcGIS Server.
  • BUG-000130002 - 'GetFolders', 'GetDescriptions', and 'GetDescriptionsEx' requests fail in ArcGIS Server 10.7.1 deployments on Amazon Web Services.
  • BUG-000128892 - Caching with 64 or more instances on a single machine may fail despite sufficient system resources.
  • BUG-000128060 - ArcGIS Server has a Server Side Request Forgery (SSRF) security vulnerability.
  • BUG-000127160 - Error enabling Location Tracking when the configuration store is in the cloud storage.
  • BUG-000127113 - Unable to connect to identity store using Asp.net using ArcGIS Server 10.7. or later after restarting the ArcGIS Server Windows service.
  • BUG-000125331 - CreateReplica with registerExistingData needs to account for service URLs with different machine names for hosted FS
  • BUG-000125214 - Optimize the deletion of services to avoid time-outs on deployments that include a large number of services.
  • BUG-000125044 - Hosted feature service has a stored cross-site scripting (XSS) vulnerability.
  • BUG-000124991 - ArcGIS Server fails to fully import root or intermediate certificates.
  • BUG-000124867 - When attempting to download a managed map area in Collector for ArcGIS, the download fails due to an error that occurs between ArcGIS Server and the ArcGIS Web Adaptor replica access.
  • BUG-000124827 - On a multiple-machine ArcGIS Server site that has one or more cached map services that have been consumed through ArcMap or a SOAP client, publishing a service or stopping/starting a service causes all services on the machines to restart.
  • BUG-000124576 - Starting a map service with a Java SOAP server object extension (SOE) enabled fails with the error "javax/xml/bind/JAXBException".
  • BUG-000124287 - Publishing fails because enterprise database registration fails, even though it appears to work on the UI. This could happen on a machine configuration that has multiple Network cards.
  • BUG-000123103 - ArcGIS Server improperly handles an incorrect CORS origin.
  • BUG-000122285 - Scalability of 3D Scene Service is impeded by frequent reads/writes to the config store and directories.
  • BUG-000120535 - In the Operations Dashboard for ArcGIS serial chart in Portal for ArcGIS, sorting data by statistics in the Data Options configuration returns the warning message, "Cannot Access Data."
  • BUG-000113339 - Creating a backup of ArcGIS Server returns an error message, "Export operation failed. null" if a cache directory is registered when creating a cloud data store.

Installing this patch on Windows


Installation Steps:


The ArcGIS product listed in the table must be installed on your system before you can install a patch. Each patch setup is specific to the ArcGIS product in the list. To determine which products are installed on your system, please see the How to identify which ArcGIS products are installed section. Esri recommends that you install the patch for each product that is on your system.

The ArcGIS Server 10.9.1 Setup Program Patch is a mandatory prerequisite for installing this patch on Windows. Please download and install the ArcGIS Server 10.9.1 Setup Program Patch before attempting to install this patch.

  1. Download the appropriate file to a location other than your ArcGIS installation location.

  2. ArcGIS Enterprise  
       
    ArcGIS Server 10.9.1 ArcGIS-1091-S-SEC2022U1-PatchB.msp
         Checksum
         (SHA256)
    5D74A3374FE91B9B8B74E8414B09353A33F1EA784A35A8B53F6661A199DC64E5
       
       
    ArcGIS Server 10.8.1 ArcGIS-1081-S-SEC2022U1-PatchB.msp
         Checksum
         (SHA256)
    74C6BE12578C18B61969F4E254CD21F66365C5F3F16EAF3F5EFDBF4924541EFE
       
       
    ArcGIS Server 10.7.1 ArcGIS-1071-S-SEC2022U1-PatchB.msp
         Checksum
         (SHA256)
    D93FFEF457AE02676CABA43C2103ED0B1ACDAF358F18A8119156674555F34EED
       

  3. Make sure you have write access to your ArcGIS installation location.

  4. Double-click ArcGIS-<Version>-S-SEC2022U1-PatchB.msp to start the setup process.

    NOTE: If double clicking on the MSP file does not start the setup installation, you can start the setup installation manually by using the following command:


    msiexec.exe /p [location of Patch]\ArcGIS-<Version>-S-SEC2022U1-PatchB.msp


Installing this patch on Linux


Installation Steps:


Complete the following install steps as the ArcGIS Install owner. The Install owner is the owner of the arcgis folder.

The ArcGIS product listed in the table must be installed on your system before you can install a patch. Each patch setup is specific to the ArcGIS product in the list. To determine which products are installed on your system, please see the How to identify which ArcGIS products are installed section. Esri recommends that you install the patch for each product that is on your system.

  1. Download the appropriate file to a location other than your ArcGIS installation location.


    ArcGIS Enterprise  
       
    ArcGIS Server 10.9.1 ArcGIS-1091-S-SEC2022U1-PatchB-linux.tar
         Checksum
         (SHA256)
    2870E60E6D1DEB110BD746485FF7113F932345F46D06AA0C9D68EF193E2D2B86
       
    ArcGIS Server 10.8.1 ArcGIS-1081-S-SEC2022U1-Patch-linuxB.tar
         Checksum
         (SHA256)
    AE36D9D371D9D224F6A630FA7B963A2DD1C3E4295C589FD5C21C856C9C9C61BF
       
    ArcGIS Server 10.7.1 ArcGIS-1071-S-SEC2022U1-PatchB-linux.tar
         Checksum
         (SHA256)
    025F1CA478B5B3646BC37B40F6C861F905BFE905D12D5CE6DB216C0A8F1F4439
       

  2. Make sure you have write access to your ArcGIS installation location, and that no one is using ArcGIS.

  3. Extract the specified tar file by typing:


    % tar -xvf ArcGIS-<Version>-S-SEC2022U1-PatchB-linux.tar

  4. Start the installation by typing:


    % ./applypatch

    This will start the dialog for the menu-driven installation procedure. Default selections are noted in parentheses ( ). To quit the installation procedure, type 'q' at any time.


Upgrade a geodatabase

When a hotfix or patch for ArcGIS has been applied, it may also be necessary to upgrade your geodatabase. See the Upgrade the Geodatabase section on the Geodatabase management page for your individual DBMS platform for more information.


Uninstalling this patch on Windows


    To uninstall this patch on Windows, open the Windows Control Panel and navigate to installed programs. Make sure that "View installed updates" (upper left side of the Programs and Features dialog) is active. Select the patch name from the programs list and click Uninstall to remove the patch.

Uninstalling this patch on Linux


    To remove this patch on versions 10.7 and higher, navigate to the <Product Installation Directory>/.Setup/qfe directory and run the following script as the ArcGIS Install owner:


    ./removepatch.sh

    The removepatch.sh script allows you to uninstall previously installed patches or hot fixes. Use the -s status flag to get the list of installed patches or hot fixes ordered by date. Use the -q flag to remove patches or hot fixes in reverse chronological order by date they were installed. Type removepatch -h for usage help.

    Restart your ArcGIS services

Patch Updates

Check the Patches and Service Packs page periodically for the availability of additional patches. New information about this patch will be posted here.

Important Note: August 23, 2022 The 10.8.1 version of the ArcGIS Server Security 2022 Update 1 is currently disabled while a non-security related regression is being investigated.

Important Note September 1, 2022: The 10.9.1, 10.8.1 and 10.7.1 versions of the ArcGIS Server Security 2022 Update 1 have been re-released to address:

    BUG-000151727 - WMTS-Capabilities file cannot be retrieved after installation of the ArcGIS Server Security 2022 Update 1 Patch.

How to identify which ArcGIS products are installed

To determine which ArcGIS products are installed, choose the appropriate version of the PatchFinder utility for your environment and run it from your local machine. PatchFinder will list all products, hot fixes, and patches installed on your local machine.

Getting Help

Domestic sites, please contact Esri Technical Support at 1-888-377-4575, if you have any difficulty installing this patch. International sites, please contact your local Esri software distributor.