Esri has released security updates for the ArcGIS Web adaptor for Java, ArcGIS Server, and Portal for ArcGIS. A number of security issues are addressed with this patch as described in the associated KBA’s and we recommend our customers apply this patch in a timely manner.
It is noteworthy that in addition to resolving some application level security vulnerabilities, this patch will disabled SSLv3 from being exposed by our web service endpoints. Since the POODLE vulnerability, disabling SSL and utilizing TLS instead is an industry best practice for web services and is the default configuration of version 10.3 ArcGIS products and later.
Update: 2/20/15 – All planned patch versions now available. As commented previously 10.3 Portal customers will need to update to 10.3.1 when it is released to mitigate remaining issues.
– The Security Standards & Architecture Team
References:
ArcGIS Server Patch KBA – 10.1 SP1 QIP, 10.2.1, 10.2.2
Web Adaptor for Java Patch KBA – 10.2.1, 10.2.2
Portal for ArcGIS Patch KBA – 10.2.1, 10.2.2
Article Discussion: