topic Re: ArcGIS Server 11.0 Directory Traversal Vulnerability Patch in ArcGIS Enterprise Questions

ArcGIS Server 11.0 Directory Traversal Vulnerability Patch

DavidColey — Fri, 07 Oct 2022 12:52:58 GMT

Hello - I just applied the ArcGIS Server 11.0 Directory Traversal Vulnerability Patch

https://support.esri.com/en/Products/Enterprise/arcgis-server/ArcGIS-Server/11#downloads?id=8063

On my (2 machine Windows Server 2016) 11.0 hosting site servers.

And now I am seeing hundreds and hundreds of SEVERE and WARNING level log errors pertaining to webhooks, yet I have no webhooks set up yet against any of the hosted feature layers:

WARNING Webhook log: FS Webhook processor init failed Connecting to queue : FS_Raw_Events_Queue failed.

SEVERE Webhook log: init WebhookProcessors failed. FS Webhook processor init failed.

WARNING Webhook log: Error in initializing webhook processor. init WebhookProcessors failed.

Has anyone else seen this?

@JonathanQuinn

@JonEmch

Re: ArcGIS Server 11.0 Directory Traversal Vulnerability Patch

DavidColey — Fri, 07 Oct 2022 14:10:40 GMT

UPDATE

In our environment, the federated site registered with our enterprise is still at release 10.9.1. I did apply the

ArcGIS Server Security 2022 Update 2 Patch

https://support.esri.com/en/Products/Enterprise/arcgis-server/ArcGIS-Server/10-9-1#downloads?id=8064

which does contain a fix for the same issue - Directory traversal vulnerability in ArcGIS Server -

This patch application is not generating any of the 3 unique log entries noted above.

Re: ArcGIS Server 11.0 Directory Traversal Vulnerability Patch

KevinHibma — Fri, 07 Oct 2022 15:02:41 GMT

Hi @DavidColey

I don't have much knowledge of that particular patch, but I'm doubtful that it caused the problem.

The message is indicating that GIS Server is failing to connect to the required components for webhooks. Are you able to restart the GIS Server? A restart will sometimes fix this problem.

Is there any chance the problem was there before you applied the patch and you didn't notice the logs? If so, we'd need to figure out what might be in the way of the connection. (closed ports perhaps)

Re: ArcGIS Server 11.0 Directory Traversal Vulnerability Patch

DavidColey — Fri, 07 Oct 2022 15:53:08 GMT

Hello @KevinHibma - thanks for the reply. Yes, a restart is something I would do after hours and will see if that helps.

I use ArcGIS Monitor, so it is not possible that I would not notice the log:

Category

Last Alert

Collection

Level

Status

H:M

Count

Groups

Counter Name

Rule

Counter Instance

Name

Comments

Counter Type

Int(min)

ArcGIS

10/07/2022 11:41 AM

Production

Warning

Open

17:44

Log-WARNING

> 0

Summary

ArcGIS Host

ArcGIS Errors

ArcGIS

10/07/2022 11:41 AM

Production

Warning

Open

17:44

Log-SEVERE

> 0

Summary

ArcGIS Host

ArcGIS Errors

ArcGIS

As you can see, these 2 logs have been open for 17 hours and the error keeps rolling along. So far, there is no impact to performance (cpu or memory) but it is hassle to find my real Severe and Warning level errors contained within.

Re: ArcGIS Server 11.0 Directory Traversal Vulnerability Patch

KevinHibma — Fri, 07 Oct 2022 16:00:52 GMT

Thanks. That's sort of good news / bad news. I'm still skeptical the patch has caused the issue, but if you've only had the errors since applying the patch, it's now a question of how the communication was interrupted. I'll talk to a couple of colleagues and see if it's reproducible.

Unfortunately, you'll see the messages once a minute as Server attempts to re-establish the connection. Please respond back with the result of restarting Server.

Re: ArcGIS Server 11.0 Directory Traversal Vulnerability Patch

DavidColey — Fri, 07 Oct 2022 17:31:18 GMT

Sure - but: "I'm still skeptical the patch has caused the issue". Well, the error log entries began moments after the patches were applied to the 2-machine host site cluster. So if not the patch, then what?

No one else could have attempted to create any type of the new (beta) webhook capabilities in portal at release 11, and I have not.

If a restart does not address the log error entries, I may uninstall the patch updates and see if the errors continue.

Re: ArcGIS Server 11.0 Directory Traversal Vulnerability Patch

JonEmch — Fri, 07 Oct 2022 18:47:17 GMT

Hey there David,

Thank you for tagging me in this. Let me do some research on this and I will follow up.

Re: ArcGIS Server 11.0 Directory Traversal Vulnerability Patch

DavidColey — Mon, 10 Oct 2022 12:59:48 GMT

Hello @KevinHibma - I was able to resolve this:

Restart arcgis server exe processes - no effect

Restart both windows servers - no effect

Uninstall patch - no effect

Reinstall patch - no effect

Then I decided to check the configuration of the webhook processes json in the

....\config-store\system\webhookprocessors-config directory where I saw that this file uses a url connection to the datastore

"jdbcUrl":"jdbc:postgresql://DATASTOREMACHINE.BCC.SCGOV.LOCAL:9876/webhooks"

I checked that my port 9876 was open and unrestricted vis system resources and it is.

Regardless, I went ahead and with a restart of the:

ArcGIS Data Store service - log entries stopped. No more errors.

So basically a restart of the datastore service resolved some type of communication issue that may or may not have been coincidental with an ArcGIS Server service restart for any reason, not just application of this patch.

So I consider this resolved on my end at least for now.

@JonEmch

Re: ArcGIS Server 11.0 Directory Traversal Vulnerability Patch

MDekkers — Fri, 10 Feb 2023 13:38:03 GMT

We have recently seen this error message in some environments that had been upgraded to ArcGIS Enterprise 11. After some research it appeared that the firewall rules on the ArcGIS DataStore machine hadn't been update with the newly required ports (25672, 44369, 45671) for the added webhook functionality in ArcGIS Enterprise 11.
See these links for more information:
https://enterprise.arcgis.com/en/data-store/latest/install/windows/ports-used-by-arcgis-data-store.htm
https://enterprise.arcgis.com/en/portal/latest/administer/windows/about-arcgis-webhooks.htm

Re: ArcGIS Server 11.0 Directory Traversal Vulnerability Patch

Thomas_Z2 — Mon, 15 Apr 2024 16:23:31 GMT

We experienced the same issue after we changed the PSA (primary site administrator) password.

Re-registering the ArcGIS Data Stores solved the problem for us.

It may be somehow related with the warning "Failed to log in. Invalid username 'siteadmin' or password specified." in our log files (or it solved by chance solved both issues). We were following this tutorial from Esri's technical support here.

Re: ArcGIS Server 11.0 Directory Traversal Vulnerability Patch

MBReither — Wed, 30 Jul 2025 17:05:36 GMT

There is an Esri bug which documents similar webhook error messages.

ArcGIS Server logs report hourly severe messages indicating webhook processor initialization failure

https://support.esri.com/en-us/knowledge-base/arcgis-server-logs-indicate-severe-message-about-webhoo-000031943