Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Cancel
- Home
- :
- About RandallWilliams
RandallWilliams
Esri Regular Contributor
since
07-04-2014
04-10-2026
1163
Posts created
74
Kudos given
71
Solutions
808
Kudos received
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
My Ideas
(0 Idea Submissions)Latest Contributions by RandallWilliams
|
POST
|
John, this is a dangerous, untested, and unsupported path. We do not bundle the default, unmodified Tomcat binaries with ArcGIS software. It is likely that vulnerabilities that do not impact ArcGIS software due to how we build Tomcat are now introduced by this change. We strongly recommend against in-place upgrades of 3rd party components used in our software.
... View more
01-07-2025
07:02 AM
|
1
|
3
|
12811
|
|
POST
|
Hi All, While automated vulnerability scanners will complain about CVE-2024-50379, this CVE has no impact on ArcGIS software. A challenge with almost all of these tools is that they are good at comparing a given software product/version against a database of known vulnerabilities, they are typically unable to validate exploitability. In this case, Esri software is not impacted by CVE-2024-50379 because we do not configure the default servlet to enable write (readonly initialisation parameter set to the non-default value of false). We also don't enable the PUT method at the application server level. Note also that this CVE would typically only impact Windows - Linux based file systems are case sensitive.
... View more
01-07-2025
06:57 AM
|
4
|
1
|
12817
|
|
BLOG
|
Attempted to DM, but recd message "None of the users have PM enabled. Message will not be sent". Please enable DM and I'll send it.
... View more
08-21-2024
06:47 AM
|
0
|
0
|
10943
|
|
BLOG
|
It's in the customer exclusive area of the ArcGIS Trust Center document repository. Current version 4.3. ArcGIS Vulnerability Scanning guidance
... View more
08-21-2024
06:21 AM
|
0
|
0
|
10973
|
|
BLOG
|
Link works for me. If you're taken to the customer exclusive docs, this is the one you want.
... View more
05-15-2024
06:16 AM
|
0
|
0
|
11843
|
|
POST
|
All, This is an old thread, but this question pops up occasionally. NSSM.exe is a service manager. Basically, it helps manage a running batch file as a windows service so that if it dies, it restarts. It's not a "virus". It ships with CouchDB, which we use for the tile store. We don't actually use NSSM - we build our own service. You can delete this with no worries. The reality is that this is a false positive due to a similarly named tool: https://forums.malwarebytes.com/topic/265430-potential-nssmexe-false-positive/
... View more
05-14-2024
11:27 AM
|
1
|
0
|
3437
|
|
POST
|
The change that we put in was to set the content-disposition header on the uploaded PDF to "attachment" instead of "inline". https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition We did not go back and retroactively change PDFs uploaded before this update.
... View more
03-13-2024
09:01 AM
|
0
|
0
|
4766
|
|
POST
|
That could work - I haven't tested that behavior. If your ArcGIS Enterprise is public facing and the PDF is public anyway, you can just share the URL "by reference" instead of via collaboration, too. I've noticed that Firefox gives me actions for how I want files to be used. For me at least, Firefox downloads the file locally then opens the downloaded file. (eg: file:///C:/Users/user/Downloads/doc.pdf). That's cool and a lot less dangerous. Chrome and Edge just download the file but don't open them. I haven't looked for an extension that will do it for those browsers. YMMV.
... View more
02-29-2024
06:01 PM
|
2
|
0
|
12756
|
|
POST
|
Hi All, This was an intentional change, and I'll tell you why. In almost all web applications, PDFs are uploaded to the app by a trusted source. ArcGIS Online is different in that we allow our many users to upload their own PDFs and share them broadly. When PDFs are generated and uploaded by a trusted source (eg: the site owner), we can be reasonably assured that the PDF has not been changed with a text editor to introduce malicious JavaScript. If an unsuspecting user opens a file containing malicious JS that is hosted on our ArcGIS.com domain while they are currently logged in, a browser's cross domain restrictions are effectively defeated. This leaves our users vulnerable to a, common, dangerous, easily exploited and typically severe type of attack called "stored cross-site scripting". Adobe also recognizes this risk, and offers options to prevent JS execution in Acrobat. Browser plugins also have the ability to block JavaScript - but how effective is relying on an end user to enable this functionality? We understand that this is an unpopular change. We strive to achieve a risk aware balance between "security" and "usability". This style of attack is well known and has been thoroughly documented. This is not a hypothetical - it is a real, persistent threat that we are responding to. We working to identify technologies that can identify and sanitize malicious scripts from PDFs and other files, but this is difficult challenge because PDF files are designed to use JavaScript code. We are also looking into PDF viewers that are either sandboxed or do not support JavaScript at all. We appreciate your feedback regarding this change - it does not go unheard. We look forward to providing a better, more secure option to providing an in-line experience for serving PDFs in a future release.
... View more
02-29-2024
04:23 PM
|
11
|
18
|
12801
|
|
POST
|
Hi Patrick, Regarding these: C:\Program Files\ArcGIS\DataStore\framework\runtime\couchdb\ssl\key.pem C:\Program Files\ArcGIS\DataStore\framework\template\nosql\ssl\key.pem C:\Program Files\ArcGIS\Portal\framework\runtime\ds\framework\template\nosql\ssl\key.pem These aren't SSH keys. These are 1/2 of the keypair used to support TLS in these components. The certificate keypair (cert + key) is self signed. These are key that are automatically generated upon installation. They are not trusted because they are self signed and not validated up to a certificate authority. For these: C:\Program Files\ArcGIS\DataStore\framework\runtime\ozone\compose\ozone-om-ha\.ssh\id_rsa C:\Program Files\ArcGIS\DataStore\framework\runtime\ozone\compose\ozonescripts\.ssh\id_rsa Those keys are used to start Ozone. It's used in the Object Store. If you don't have the object store configured, you can remove it via add/remove programs, but I'd disagree that these are a risk because they are only used in local communication. If an attacker has access to these keys, then they already have local admin on your ArcGIS Enterprise installation (a much bigger problem). https://ozone.apache.org/docs/1.2.1/start/onprem.html
... View more
02-22-2024
11:52 AM
|
0
|
0
|
2575
|
|
POST
|
This work around is a hack and does nothing to change the back end API. It just obfuscates the troubleshoot.html page. Please log an enhancement with support to block this capability if you're using IWA OR if you're only allowing organization-specific logins.
... View more
01-26-2024
11:59 AM
|
1
|
0
|
2109
|
|
POST
|
NO. DO NOT ATTEMPT TO UPGRADE OR INSTALL ANY PATCHES UNTIL THE 10.9.1 Validation and Repair tool IS AVAILABLE. Upgrading is an option to remediate the Sites vulnerabilities IF and ONLY IF this faulty patch has not yet been installed.
... View more
12-15-2023
10:41 AM
|
3
|
0
|
4174
|
|
POST
|
Regarding CVEs in general - when we release a security patch, we release an advisory that's discoverable on the ArcGIS Trust Center. An easy way to review all of the CVEs we've released: https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&isCpeNameSearch=false&cpe_vendor=cpe%3A%2F%3Aesri
... View more
12-14-2023
01:54 PM
|
0
|
0
|
2200
|
My kudoed posts
| Title | Kudos | Posted |
|---|---|---|
| 1 | 03-05-2026 06:49 AM | |
| 1 | 02-19-2026 07:09 AM | |
| 2 | 02-17-2026 02:27 PM | |
| 3 | 11-17-2025 07:06 AM | |
| 1 | 05-24-2018 07:28 AM |
Activity Feed
- Got a Kudo for Re: Update ARCGIS ANTIVIRUS GUIDANCE document. 03-05-2026 09:33 AM
- Posted Re: Update ARCGIS ANTIVIRUS GUIDANCE document on Esri Software Security & Privacy Questions. 03-05-2026 06:49 AM
- Got a Kudo for Re: Unable to Open PDF in AGOL only Download- New as of Feb 29, 2024. 02-23-2026 10:30 AM
- Got a Kudo for Re: Update ARCGIS ANTIVIRUS GUIDANCE document. 02-20-2026 12:18 AM
- Posted Re: Update ARCGIS ANTIVIRUS GUIDANCE document on Esri Software Security & Privacy Questions. 02-19-2026 07:09 AM
- Posted Re: Update ARCGIS ANTIVIRUS GUIDANCE document on Esri Software Security & Privacy Questions. 02-19-2026 06:33 AM
- Got a Kudo for Re: Best method to change IAA and PSA passwords. 02-18-2026 06:12 AM
- Got a Kudo for Re: Best method to change IAA and PSA passwords. 02-18-2026 03:27 AM
- Posted Re: Best method to change IAA and PSA passwords on ArcGIS Enterprise Questions. 02-17-2026 02:27 PM
- Got a Kudo for Re: Unable to Open PDF in AGOL only Download- New as of Feb 29, 2024. 11-25-2025 06:42 AM
- Got a Kudo for Re: Apache Parquet < 1.15.1 Remote Code Execution (CVE-2025-30065) in ArcGIS Pro. 11-19-2025 02:52 AM
- Got a Kudo for Re: Apache Parquet < 1.15.1 Remote Code Execution (CVE-2025-30065) in ArcGIS Pro. 11-19-2025 02:52 AM
- Got a Kudo for Re: Apache Parquet < 1.15.1 Remote Code Execution (CVE-2025-30065) in ArcGIS Pro. 11-17-2025 07:13 AM
- Got a Kudo for Re: Apache Parquet < 1.15.1 Remote Code Execution (CVE-2025-30065) in ArcGIS Pro. 11-17-2025 07:09 AM
- Posted Re: Apache Parquet < 1.15.1 Remote Code Execution (CVE-2025-30065) in ArcGIS Pro on ArcGIS Pro Questions. 11-17-2025 07:06 AM
- Got a Kudo for Re: Data Privacy using Arc Gis Python API. 10-29-2025 07:34 AM
- Got a Kudo for Re: ArcSOCs Exceed Max Instance Setting. 10-22-2025 02:17 PM
- Got a Kudo for Re: Unable to Open PDF in AGOL only Download- New as of Feb 29, 2024. 10-20-2025 07:25 AM
- Got a Kudo for New Technical Paper: Considerations for configuring antivirus software for ArcGIS Enterprise hosts. 09-16-2025 12:59 PM
- Got a Kudo for Re: Unable to Open PDF in AGOL only Download- New as of Feb 29, 2024. 06-06-2025 01:08 PM
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
04-10-2026
06:56 AM
|