Bug: Security Patch for ArcGIS Web Adaptor for IIS 10.1 SP1 to 10.2.2
【相关信息】
Article ID: 41548
Bug Id: NIM102891, NIM102631
Software:
ArcGIS for Server 10.1, 10.2, 10.2.1, 10.2.2, 10.1 SP1
Platforms: N/A
【BUG描述】
Esri has released a security patch to address serious vulnerabilities in the Web Adaptor for IIS. This patch should be applied immediately. The Web Adaptor for the Java platform is not affected by these vulnerabilities.
【BUG原因】
Vulnerability Details:
NIM102891 – ArcGIS Web Adaptor on IIS does not enforce authorization on a restricted URL - (CWE-425)
An interface on the web adaptor can be reached and modified by remote machines. An attacker can potentially reach the interface directly, which can facilitate unauthorized disclosure of information, unauthorized modification and/or disruption of service. This vulnerability carries a CVSS Base Score of 7.5 (HIGH).
NIM102631 – ArcGIS Web Adaptor on IIS contains a cross-site scripting (XSS) vulnerability – (CWE-79)
The Web Adaptor on IIS contains a vulnerability that takes untrusted data and sends it to a web browser without proper validation or escaping. This can result in hijacked user session and redirection to malicious sites among other potential scenarios. This vulnerability carries a CVSS Base Score of 4.3 (MEDIUM).
Article ID: 41548
Bug Id: NIM102891, NIM102631
Software:
ArcGIS for Server 10.1, 10.2, 10.2.1, 10.2.2, 10.1 SP1
Platforms: N/A
【BUG描述】
Esri has released a security patch to address serious vulnerabilities in the Web Adaptor for IIS. This patch should be applied immediately. The Web Adaptor for the Java platform is not affected by these vulnerabilities.
【BUG原因】
Vulnerability Details:
NIM102891 – ArcGIS Web Adaptor on IIS does not enforce authorization on a restricted URL - (CWE-425)
An interface on the web adaptor can be reached and modified by remote machines. An attacker can potentially reach the interface directly, which can facilitate unauthorized disclosure of information, unauthorized modification and/or disruption of service. This vulnerability carries a CVSS Base Score of 7.5 (HIGH).
NIM102631 – ArcGIS Web Adaptor on IIS contains a cross-site scripting (XSS) vulnerability – (CWE-79)
The Web Adaptor on IIS contains a vulnerability that takes untrusted data and sends it to a web browser without proper validation or escaping. This can result in hijacked user session and redirection to malicious sites among other potential scenarios. This vulnerability carries a CVSS Base Score of 4.3 (MEDIUM).
1 个回复
易智瑞技术支持
赞同来自:
Esri requests that customers install Security Patch - ArcGIS Web Adaptor for IIS (10.1 SP1 to 10.2.2) at the earliest opportunity.
Mitigating Measures:
Esri recommends minimizing the attack surface of any software deployments. Administrative interfaces such as ArcGIS Manager and the Web Adaptor configuration page should not be exposed for general Internet access.
ArcGIS 10.1 SP1, 10.2.1, and 10.2.2 Web Adaptor for IIS Security (August 2014) Patch
【创建及修改时间】
Created: 8/29/2013
Last Modified: 8/29/2014
【原文链接】
http://support.esri.com/en/kno ... 41548
要回复问题请先登录或注册