Esri has released the ArcGIS Server Security 2021 Update 2 Patch. This patch resolves four recently identified security vulnerabilities across versions 10.9, 10.8.1, 10.7.1, and 10.6.1. As with all security patches, we encourage all system administrators to install security updates on relevant systems at your earliest opportunity.
One high severity vulnerability and three medium severity vulnerabilities are addressed in this patch. The ArcGIS Server Security 2021 Update 2 Patch is available here.
We provide Common Vulnerability Scoring System (CVSS) scores to allow our customers to better assess risk of this vulnerability to their operations. Both the base score and a modified temporal score is provided to reflect the availability of an official patch. Please see the Common Vulnerability Scoring System for more information on the definition of these metrics.
Vulnerabilities fixed in this patch include:
A SQL injection vulnerability in feature services provided by Esri ArcGIS Server 10.9 and earlier allows a remote, unauthenticated attacker to impact the confidentiality, integrity and availability of targeted services via specifically crafted queries.
Common Vulnerability Scoring System (CVSS v3.1) Details
- 7.3 Base Score, 6.0 Temporal Score
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/RL:O/MPR:L
Vulnerability Details
CVE-2021-29114 – SQL Injection (SQLi) CWE-89 – CVSS 6.0
Mitigating measures:
- By default, services published to ArcGIS Enterprise are not available anonymously and those services cannot be accessed by an unauthenticated attacker.
A stored Cross Site Scripting (XSS) vulnerability in Esri ArcGIS Server version 10.8.1 and 10.9 (only) feature services may allow a remote attacker may allow a remote, unauthenticated attacker to pass and store malicious strings via crafted queries which when accessed could potentially execute arbitrary JavaScript code in the user’s browser.
Common Vulnerability Scoring System (CVSS v3.1) Details
- 6.1 Base Score, 5.2 Temporal Score
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/RL:O/RC:C/MPR:L
Vulnerability Details
CVE-2021-29116 – Cross Site Scripting (XSS) CWE-79 – CVSS 5.2
Mitigating measures:
By default, services published to ArcGIS Enterprise are not available anonymously and those services cannot be accessed by an unauthenticated attacker.
An information disclosure vulnerability caused by an issue where if a where a field that is marked as invisible in a hosted feature service view in Esri ArcGIS Enterprise versions 10.9.0 and below does not hide the field references from the available editing templates which allows a remote attacker to view field names via the ArcGIS Services directory.
- 5.3 Base Score, 4.1 Temporal Score
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/RL:O/MPR:L
Vulnerability Details
CVE-2021-29115 – Information Exposure CWE-200 – CVSS 4.1
Mitigating measures:
Options to mitigate this issue include securing the hosted feature service and any created hosted feature service views.
A remote file inclusion vulnerability in the ArcGIS Server help documentation may allow a remote, unauthenticated attacker to inject attacker supplied html into a page.
Common Vulnerability Scoring System (CVSS v3.1) Details
- 4.7 Base Score, 3.3 Temporal Score
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/RL:O
Vulnerability Details
CVE-2021-29116 – Cross Site Scripting (XSS) CWE-79 – CVSS 3.3
Mitigating measures:
The help documentation may be secured at the web tier. See: https://community.esri.com/t5/esri-software-security-privacy-blog/bg-p/esri-software-security-and-privacy-blog/page/2
Commenting is no longer enabled for this article