ArcGIS for Server Security Patch released

A new patch that addresses security vulnerabilities for ArcGIS for Server has recently been released. The patch may be downloaded here for the relevant versions of ArcGIS Server:

ArcGIS 10.2 for Server

ArcGIS 10.1 SP1 for Server

These patches address the following bugs:

  • NIM092795 - The File Upload Filter for mobile content directories should block an upload of unwanted file types (10.1 SP1 & 10.2)
  • NIM092820 - The Mobile Content Directory in ArcGIS Server 10.1 SP1 has persistent cross site scripting vulnerabilities. (10.1 SP1 & 10.2)
  • NIM092841 - Add a configurable property to the ArcGIS token service that disables support for HTTP GET. (10.1 SP1 & 10.2)
  • NIM094447 - There is a SQL injection vulnerability in map and feature services that allows unauthorized modification of data. (10.1 SP1 & 10.2)
  • NIM094481 - When StandardizedQueries is True, a map service's query operation ignores the definition expression set on the layer in the source map document when outStatistics gets used. (10.2 only)
  • NIM092874 - Code passed to ArcGIS Server through a parameterized/injected query results in an un-sanitized response. (10.1 SP1 only)
  • NIM093858 - The REST API should ignore invalid query parameters. (10.1 SP1 only)

Further information regarding the vulnerabilites addressed by these patches may be found here:

This patch also introduces new functinality for administrators, more information about which can be found here.

Esri UK recommends that all customers install the appropriate patch at their earliest convenience.