Security Issue in ArcGIS Server
Esri has discovered a critical vulnerability in the ArcGIS Server component of ArcGIS Enterprise resulting in a Server Side Request Forgery (SSRF) issue when special steps are taken by someone with network access to the deployment. This can result in access to and control over other infrastructure resources by unauthenticated persons.
This can affect any deployment depending on the infrastructure and configuration and all customers are urged to install the appropriate patch as soon as possible. There are known exploit vectors in Amazon Web Services (AWS) which makes this issue particularly urgent for those deployments.
This security issue affects all supported versions prior to ArcGIS Server 10.8 on both Windows and Linux. As an ArcGIS Enterprise customer, we are notifying you about this security vulnerability in addition to regular online notifications on our blog and security site at trust.arcgis.com.
What You Need to Do
Patches for all versions of ArcGIS Server from 10.4 through 10.7.1 have been released. Esri strongly recommends installing the relevant patch at your earliest possible opportunity. ArcGIS Server 10.8 already contains these fixes and is not affected.
All patches can be downloaded from the Esri Support website where more information is also available.
The ArcGIS Server Security 2020 Update 1 Patch is available for versions 10.4, 10.4.1, 10.5, 10.5.1, 10.6, 10.6.1, 10.7, and 10.7.1.
You may also use the Patch Notification Tool to download and install the appropriate patch. Please see the software documentation for how to use this tool. Ensure that the patch is installed on all ArcGIS Server machines.
More Information
For more details, please refer to the knowledge base article.
We also encourage you to subscribe to the RSS feed on trust.arcgis.com for future updates on this and other security issues.
