I received an email from ESRI regarding security issue in ArcGIS server. We are currently using Server 10.1 SP1. Is our version affected by this issue?
I believe SDE software is bundled with ArcGIS Server. As such, does this mean that this patch would need to be applied to SDE databases as well as ArcGIS Server servers?
I downloaded the msp file and it is only 44 KB whereas the Oracle Critical patch msp file was 10,120 KB. Is this security patch really only 44 KB (I'm just wondering if the download did not run completely)?
I do not think that this patch requires an Enterprise Geodatabase upgrade and from the description of the issue it is a server based issue, not geodatabase.
Update: I think that if there is a EGDB upgrade required that there will be a patch for the Desktop client also. Just my thought.
I downloaded the 10.6 version of the patch and it was 108kb.
I get the following warning when I perform the download
So I'm wondering if my antivirus software or group policy exceptions list is preventing the full patch download. Is anyone else seeing this warning and getting a very small file size for the downloaded patch?
I got the same message in Chrome, then hit the "Keep" button.
- 2 people found this helpful
The patch is about 44 kb. It is small. If at any point you want to make sure you have the real and complete files, you can download a tool called md5sum. You can run this tool at the command line, for example,
md5sum c:\users\david-or-whatever-your-account-is-called\downloads\ArcGIS-106-S-IACS-Patch.msp
This will then provide a value and you can compare it to the md5 value posted on the patch page. For instance for the Windows 10.6 version of this patch, the checksum is 8B246B657A6015CC19D66382D6720BEE. This way you can be sure you have the patch we posted.
- 1 person found this helpful
Hi Elizabeth - Unfortunately ArcGIS 10.1 has been retired, as of January 1, 2018, and is no longer supported. This would be a main reason that a patch might not be available.
Update: To be clear, I am not sure if the issue also impacts previous versions of the ArcGIS Server (pre-10.2.1) for which their are patches available. Regardless anything pre-10.2.x is now retired.
Retired: Esri Support 10.1
What does Retired Status mean? http://downloads2.esri.com/support/TechArticles/Product-Life-Cycle.pdf
Hope this help. I would recommend you look into upgrading to a newer release in the near future in case you have a need to get support.
It'd be ironic if there was an issue with the certificates for a site dedicated to security related problems, but it seems to work for me:
Perhaps your browser doesn't have the DigiCert certificates trusted? If you hit f12 on your keyboard, what's the reason it says it's untrusted?
All,
does anyone know what this patch is doing?
it just seems a bit vague and im going to have to explain why i want to install a patch in a live production environment.
thanks
Dave
The patch addresses a critical vulnerability in ArcGIS Server causing improper access control validation when specially crafted requests are sent to the server. This results in secured services and their data to be exposed to users when they should not otherwise have access.
Does this patch need to be applied to all components of the enterprise deployment or just the base ArcGIS for Server server(s)? For instance does it also need to be applied to a server dedicated to Image Server or a server dedicated to GeoEvent services?
This patch should be applied to all instances of ArcGIS Server, regardless of role.
I've installed this patch now I'm getting a continous "stopping" state.
- 1 person found this helpful
I would recommend opening a technical support case to have the team investigate this in more detail.
Elizabeth,
From looking at the tech support article:
Problem: Warning of security vulnerability in ArcGIS Server
And bug listing:
BUG-000113291: There is an improper access control issue in ArcGIS ..
It looks like all versions of Server were affected. But, there are only patches available for 10.2.1 and upward, unfortunately.