Security Issue in ArcGIS Server

1442
15
05-14-2018 10:59 AM
ElizabethDonahue
New Contributor III

I received an email from ESRI regarding security issue in ArcGIS server. We are currently using Server 10.1 SP1. Is our version affected by this issue?

Tags (1)
0 Kudos
15 Replies
AdrianWelsh
MVP Notable Contributor

Elizabeth,

From looking at the tech support article:

Problem: Warning of security vulnerability in ArcGIS Server 

And bug listing:

BUG-000113291: There is an improper access control issue in ArcGIS .. 

It looks like all versions of Server were affected. But, there are only patches available for 10.2.1 and upward, unfortunately.

0 Kudos
MichaelVolz
Esteemed Contributor

I believe SDE software is bundled with ArcGIS Server.  As such, does this mean that this patch would need to be applied to SDE databases as well as ArcGIS Server servers?

I downloaded the msp file and it is only 44 KB whereas the Oracle Critical patch msp file was 10,120 KB.  Is this security patch really only 44 KB (I'm just wondering if the download did not run completely)?

0 Kudos
George_Thompson
Esri Frequent Contributor

I do not think that this patch requires an Enterprise Geodatabase upgrade and from the description of the issue it is a server based issue, not geodatabase.

Update: I think that if there is a EGDB upgrade required that there will be a patch for the Desktop client also. Just my thought.

I downloaded the 10.6 version of the patch and it was 108kb.

--- George T.
0 Kudos
MichaelVolz
Esteemed Contributor

I get the following warning when I perform the download

So I'm wondering if my antivirus software or group policy exceptions list is preventing the full patch download.  Is anyone else seeing this warning and getting a very small file size for the downloaded patch?

0 Kudos
George_Thompson
Esri Frequent Contributor

I got the same message in Chrome, then hit the "Keep" button. 

--- George T.
0 Kudos
DavidCordes
New Contributor III

The patch is about 44 kb.  It is small.  If at any point you want to make sure you have the real and complete files, you can download a tool called md5sum.  You can run this tool at the command line, for example,

md5sum c:\users\david-or-whatever-your-account-is-called\downloads\ArcGIS-106-S-IACS-Patch.msp

This will then provide a value and you can compare it to the md5 value posted on the patch page.  For instance for the Windows 10.6 version of this patch, the checksum is 8B246B657A6015CC19D66382D6720BEE.  This way you can be sure you have the patch we posted.

George_Thompson
Esri Frequent Contributor

Hi Elizabeth - Unfortunately ArcGIS 10.1 has been retired, as of January 1, 2018, and is no longer supported. This would be a main reason that a patch might not be available.

Update: To be clear, I am not sure if the issue also impacts previous versions of the ArcGIS Server (pre-10.2.1) for which their are patches available. Regardless anything pre-10.2.x is now retired.

Retired: Esri Support 10.1 

What does Retired Status mean? http://downloads2.esri.com/support/TechArticles/Product-Life-Cycle.pdf 

Hope this help. I would recommend you look into upgrading to a newer release in the near future in case you have a need to get support.

--- George T.
ThomasColson
MVP Frequent Contributor

Interestingly enough....

0 Kudos
JonathanQuinn
Esri Frequent Contributor

It'd be ironic if there was an issue with the certificates for a site dedicated to security related problems, but it seems to work for me:

Perhaps your browser doesn't have the DigiCert certificates trusted? If you hit f12 on your keyboard, what's the reason it says it's untrusted?