ArcGIS for Server, Security, and Bash Vulnerability
In light of the recent announcements on the bash (AKA: Shellshock) vulnerability, a quick update on how your ArcGIS for Server might be affected.
Bash/Shellshock
First, some good news if you if you are running your Esri installation on Windows: you are not affected. This vulnerability only affects the Linux/Unix operating systems, and at this point it means relatively few installations will be impacted. However, don’t stop reading yet, more security vulnerabilities for ArcGIS Server installations are discussed below.
Now if you are one of the few (but growing group) using Linux/Unix, you are probably impacted in some way by this vulnerability. If your distro is hosted on Amazon’s EC2 environment, rest easy - you have a team of EC2 employees who have been working on, and patching the environment. In fact, it’s already patched for any new instances you create. If you customized an AMI a while ago, or you aren’t sure if the patch is applied, check with Amazon here to see how to fix it.
If you have a locally hosted Linux/Unix install, I’m going to assume you already know how to patch it since, well, you already installed the OS and configured ArcGIS for Server in the first place (you already know what you are doing)! OK, just in case: update Bash and you are good.
Lastly, if you are using ArcGIS Online, hosted services, or Portal for ArcGIS - No worries, Esri has already released a communication mentioning how these services are not affected.
FYI, other recent vulnerabilities
Just in case you took the summer off, a few additional security issues have been identified in the past few months - not getting the same fan-fair as Bash (since limited to Esri, not Operating Systems):
1. A vulnerability that could allow unauthorized access to secured resources, as well as some cross-site scripting (XSS) vulnerabilities were identified in ArcGIS for Server (and patched) by Esri this August. This impacts all OS versions and releases since 10.1 (including the current 10.2.2 release at the time of writing). More info and download from Esri. Review: Easy and fast to install, no reboot required (<1 minute outage).
2. Another issue, this time limited to Windows and Web Adaptor for IIS (10.1 to 10.2.2) has related patches specifically for the Web Adaptor/IIS config to fix some additional authorization bypass and XSS vulnerabilities. More info and download from Esri. Review: Easy and fast to install, no reboot required although IIS and the Web Adaptor are restarted causing a short outage (<1 minute).
Happy Patching!
If you found my writing entertaining or useful and want to say thanks, you can always buy me a coffee.