Security Issue in ArcGIS Enterprise
Esri has discovered a critical vulnerability in the Portal for ArcGIS component of ArcGIS Enterprise resulting in a Server Side Request Forgery (SSRF) issue when special steps are taken by someone with network access to the ArcGIS Enterprise portal. This can result in access to and control over other infrastructure resources by unauthenticated persons.
This can affect deployments running in Amazon Web Services (AWS) in particular which makes this issue particularly urgent for those deployments.
This security issue affects all supported versions prior to ArcGIS Enterprise 10.8 on both Windows and Linux. As you are an ArcGIS Enterprise customer who has activated the software from AWS in the past, we are notifying you about this security vulnerability in addition to regular online notifications on our blog and security site at Trust.ArcGIS.com.
What You Need to Do
Patches for all versions of ArcGIS Enterprise from 10.5 through 10.7.1 have been released. Esri strongly recommends installing the relevant patch at your earliest opportunity. ArcGIS Enterprise 10.8 already contains these fixes and is not affected.
All patches can be downloaded from the Esri Support website, where more information is also available.
The Portal for ArcGIS Security 2020 Update 1 Patch is available for versions 10.5, 10.5.1, 10.6, 10.6.1, 10.7, and 10.7.1.
You may also use the Patch Notification Tool to download and install the appropriate patch. Please see the software documentation for instruction on how to use this tool. Ensure that the patch is installed on all Portal for ArcGIS machines.
More Information
For more details, please refer to the Knowledge Base article.
We also encourage you to subscribe to the RSS feed at Trust.ArcGIS.com for future updates on this and other security issues.