ArcGIS for Server Security Patch released

A new patch that addresses security vulnerabilities for ArcGIS for Server has recently been released. The patch may be downloaded here for the relevant versions of ArcGIS Server:

ArcGIS 10.2 for Server

ArcGIS 10.1 SP1 for Server

These patches address the following bugs:

  • NIM092795 - The File Upload Filter for mobile content directories should block an upload of unwanted file types (10.1 SP1 & 10.2)
  • NIM092820 - The Mobile Content Directory in ArcGIS Server 10.1 SP1 has persistent cross site scripting vulnerabilities. (10.1 SP1 & 10.2)
  • NIM092841 - Add a configurable property to the ArcGIS token service that disables support for HTTP GET. (10.1 SP1 & 10.2)
  • NIM094447 - There is a SQL injection vulnerability in map and feature services that allows unauthorized modification of data. (10.1 SP1 & 10.2)
  • NIM094481 - When StandardizedQueries is True, a map service's query operation ignores the definition expression set on the layer in the source map document when outStatistics gets used. (10.2 only)
  • NIM092874 - Code passed to ArcGIS Server through a parameterized/injected query results in an un-sanitized response. (10.1 SP1 only)
  • NIM093858 - The REST API should ignore invalid query parameters. (10.1 SP1 only)

Further information regarding the vulnerabilites addressed by these patches may be found here:

http://support.esri.com/en/knowledgebase/techarticles/detail/41468

http://support.esri.com/en/knowledgebase/techarticles/detail/41498

This patch also introduces new functinality for administrators, more information about which can be found here.

Esri UK recommends that all customers install the appropriate patch at their earliest convenience.