Headline
CVE-2022-38198: ArcGIS Server Security 2022 Update 1 Patch
There is a reflected cross site scripting issue in the Esri ArcGIS Server services directory versions 10.9.1 and below that may allow a remote, unauthenticated attacker to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victim’s browser.
Esri has released the ArcGIS Server Security 2022 Update 1 Patch that resolves one high and four moderate severity security vulnerabilities across versions 10.9.1, 10.8.1, and 10.7.1.
This patch is available here.
We provide Common Vulnerability Scoring System v.3.1 (CVSS) scores to allow our customers to better assess risk of these vulnerabilities to their operations. Both base and modified temporal scores are provided to reflect the availability of an official patch.
****Vulnerabilities fixed by this patch****
CVE-2022-38196 – CWE-22
There is a path traversal vulnerability in Esri ArcGIS Server versions 10.9.1 and below that may result in a denial of service by allowing a remote, authenticated attacker to overwrite an internal ArcGIS Server directory.
CVSS Details:
- 7.2 Base Score, 6.5 Temporal Score
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
- /AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/RL:O/MAV:A
Mitigations:
Disable administration via the ArcGIS Web Adaptor. Disabling administration via the ArcGIS Web Adaptor is recommended as a best practice when exposing ArcGIS Server to the public internet.
See: https://enterprise.arcgis.com/en/web-adaptor/latest/install/iis/configure-arcgis-web-adaptor-server.htm
Esri Bug ID: BUG-000150537
Acknowledgements: Hussein Bahmad
CVE-2022-38195 – CWE-79
There is a reflected XSS vulnerability in Esri ArcGIS Server versions 10.9.1 and below which may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victim’s browser.
CVSS Details:
- 6.1 Base Score, 5.2 Temporal Score
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
- /AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/RL:O/MPR:L/MAV:A
Mitigations:
Disable administration via the ArcGIS Web Adaptor. Disabling administration via the ArcGIS Web Adaptor is recommended as a best practice when exposing ArcGIS Server to the public internet.
See: https://enterprise.arcgis.com/en/web-adaptor/latest/install/iis/configure-arcgis-web-adaptor-server.htm
Esri Bug ID: BUG-000150540
Acknowledgements: Simone La Porta
CVE-2022-38197 – CWE-601
There is an unvalidated redirect vulnerability in ArcGIS Server that may allow a remote, unauthenticated attacker to phish a user into accessing an attacker controlled website via a crafted query parameter.
CVSS Details:
- 5.4 Base Score, 4.6 Temporal Score
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
- /AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/RL:O/MAV:A
Mitigations: Disable administration via the ArcGIS Web Adaptor. Disabling administration via the ArcGIS Web Adaptor is recommended as a best practice when exposing ArcGIS Server to the public internet.
See: https://enterprise.arcgis.com/en/web-adaptor/latest/install/iis/configure-arcgis-web-adaptor-server.htm
Esri Bug ID: BUG-000148347
CVE-2022-38198 – CWE-79
There is a reflected XSS vulnerability in Esri ArcGIS Server versions 10.9.1 and below which may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victim’s browser.
CVSS Details:
- 6.1 Base Score, 5.8 Temporal Score
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
- /AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/RL:O/RC:C
Mitigations:
Disable the ArcGIS Services Directory. Disabling the ArcGIS services directory is recommended as a best practice when exposing GIS Services to the public internet.
See: https://enterprise.arcgis.com/en/server/latest/administer/linux/disabling-the-services-directory.htm
Esri Bug ID: BUG-000146513
CVE-2022-38199 – CWE-494
A remote file download vulnerability can occur in some capabilities of web services provided by Esri ArcGIS Server versions 10.9.1 and below that may in some edge cases allow a remote, unauthenticated attacker to induce an unsuspecting victim to launch a process in the victim’s PATH environment. Current browsers provide users with warnings against running unsigned executables downloaded from the internet.
CVSS Details:
- 6.1 Base Score, 5.8 Temporal Score
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
- /AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/RL:O
Esri Bug ID: BUG-000144172
Credit: David M. Chavez