Security patches to address vulnerabilities in ArcGIS for Server and the web adaptor for IIS

Esri has released security patches to address serious vulnerabilities in ArcGIS for Server and the Web Adaptor for IIS (the Web Adaptor for the Java platform is unaffected by these vulnerabilities). The affected versions are 10.1 through to 10.2.2.

We strongly recommend all customers running relevant versions of the software download and apply these patches as soon as possible if they haven't done so already.

 

The ArcGIS Web Adaptor Security Patch fixes the following issues:

NIM102891 – ArcGIS Web Adaptor on IIS does not enforce authorization on a restricted URL

NIM102631 – ArcGIS Web Adaptor on IIS contains a cross-site scripting (XSS) vulnerability

Full details of the problem and a link to download the patch can be found in the Knowledge Base article and blog article.

 

The ArcGIS for Server Security Patch fixes the following issues:

NIM102197 - Unauthorized access to some resources from secured services is possible in certain circumstances. This occurs in ArcGIS for Server 10.2, 10.2.1, and 10.2.2

NIM102939 - Multiple stored cross-site scripting (XSS) vulnerabilities found. This occurs in ArcGIS for Server 10.1, 10.1 SP1, 10.2, 10.2.1, and 10.2.2

Full details of the problem and a link to download the patch can be found in the Knowledge Base article and blog article.