Bug: Security Patch for ArcGIS Web Adaptor for IIS 10.1 SP1 to 10.2.2
Esri has released a security patch to address serious vulnerabilities in the Web Adaptor for IIS. This patch should be applied immediately. The Web Adaptor for the Java platform is not affected by these vulnerabilities.
NIM102891 – ArcGIS Web Adaptor on IIS does not enforce authorization on a restricted URL - (CWE-425)
NIM102631 – ArcGIS Web Adaptor on IIS contains a cross-site scripting (XSS) vulnerability – (CWE-79)
Esri requests that customers install Security Patch - ArcGIS Web Adaptor for IIS (10.1 SP1 to 10.2.2) at the earliest opportunity.
Esri recommends minimizing the attack surface of any software deployments. Administrative interfaces such as ArcGIS Manager and the Web Adaptor configuration page should not be exposed for general Internet access.
CVSS base scores do not include temporal or environmental organization-specific factors for calculation, and the scores above align with those of other similar historical vulnerabilities.
ArcGIS 10.1 SP1, 10.2.1, and 10.2.2 Web Adaptor for IIS Security (August 2014) Patch