Originalmeldung:
Esri has discovered a critical vulnerability in the ArcGIS Server component of ArcGIS Enterprise resulting in a Server Side Request Forgery (SSRF) issue when special steps are taken by someone with network access to the deployment. This can result in access to and control over other infrastructure resources by unauthenticated persons.
This can affect any deployment depending on the infrastructure and configuration and all customers are urged to install the appropriate patch as soon as possible. There are known exploit vectors in Amazon Web Services (AWS) which makes this issue particularly urgent for those deployments.
This security issue affects all supported versions prior to ArcGIS Server 10.8 on both Windows and Linux. As an ArcGIS Enterprise customer, we are notifying you about this security vulnerability in addition to regular online notifications on our blog and security site at trust.arcgis.com.
What You Need to Do
Patches for all versions of ArcGIS Server from 10.4 through 10.7.1 have been released. Esri strongly recommends installing the relevant patch at your earliest possible opportunity. ArcGIS Server 10.8 already contains these fixes and is not affected.
All patches can be downloaded from the Esri Support website where more information is also available.
The ArcGIS Server Security 2020 Update 1 Patch is available for versions 10.4, 10.4.1, 10.5, 10.5.1, 10.6, 10.6.1, 10.7, and 10.7.1.
Ergänzung:
Die aktuelle Version ArcGIS Server 10.8 (englisch), die den Patch schon enthält, ist auf dem FTP-Server bereits zum Download verfügbar. Anfragen zu den Zugangsdaten oder einer neuen Lizenzdatei stellen Sie bitte an das Lizenzmanagement des LUIS unter:
support@luis.uni-hannover.de