PROBLEM

Warning of security vulnerability in ArcGIS Server

Last Published: April 25, 2020

Description

Esri has discovered a critical vulnerability in the ArcGIS Server component of ArcGIS Enterprise resulting in a Server Side Request Forgery (SSRF) issue. There is a specific known exploit vector for deployments running on infrastructure in Amazon Web Services (AWS) but this vulnerability can apply to any environment, depending on the configuration. Customers are at risk of having internal information accessed by unauthorized individuals. Depending on their infrastructure configuration they may also be at risk of having unauthorized individuals gain administrative control over, or insight into, infrastructure.

All versions prior to ArcGIS Server 10.8 on both Windows and Linux are impacted by this security issue. Esri has released patches for all supported versions of ArcGIS Server, from version 10.4 through 10.7.1.

Cause

This patch was released in order to address a known defect, BUG-000128060

Solution or Workaround

To address this vulnerability, Esri strongly recommends all customers running ArcGIS Server install the ArcGIS Server Security 2020 Update 1 patch as soon as possible. This patch is available for ArcGIS Enterprise 10.4 – 10.7.1. and can be downloaded from the Esri Support website. This includes a fix for this issue, along with other recommended fixes for security issues. ArcGIS Server 10.8 includes the fixes and does not require a patch.

For any questions about this patch and resolving the security vulnerability, please contact Esri Technical Support, or your Esri distributor (for customers outside the United States) to resolve this issue.

Article ID:000022931

Software:
  • ArcGIS Server

Get help from ArcGIS experts

Contact technical support

Download the Esri Support App

Go to download options

Discover more on this topic