CVE-2021-29102 – This SSRF vulnerability in ArcGIS Server Manage... (How to Fix)

Q: What is the severity of CVE-2021-29102?

CVE-2021-29102 has a CVSS score of 9.1 (CRITICAL). This SSRF vulnerability in ArcGIS Server Manager allows unauthenticated remote attackers to make arbitrary GET requests from the vulnerable system. This can lead to internal network scanning, data exfiltration, or chaining with other vulnerabilities. Affects ArcGIS Server Manager versions 10.8.1 and earlier.

📋 TL;DR

This SSRF vulnerability in ArcGIS Server Manager allows unauthenticated remote attackers to make arbitrary GET requests from the vulnerable system. This can lead to internal network scanning, data exfiltration, or chaining with other vulnerabilities. Affects ArcGIS Server Manager versions 10.8.1 and earlier.

💻 Affected Systems

Products:

ArcGIS Server Manager

Versions: 10.8.1 and earlier

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the Manager component specifically; ArcGIS Server services themselves may not be directly vulnerable.

📦 What is this software?

Arcgis Server by Esri

View all CVEs affecting Arcgis Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains internal network access, exfiltrates sensitive data, or uses the vulnerable server as a proxy to attack other internal systems, potentially leading to full network compromise.

🟠

Likely Case

Internal network enumeration, scanning of internal services, and potential data leakage from internal endpoints accessible to the server.

🟢

If Mitigated

Limited impact due to network segmentation, egress filtering, and proper access controls preventing the server from reaching sensitive internal resources.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SSRF vulnerabilities are commonly exploited and tooling exists; no authentication required makes exploitation straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply Security 2021 Update 1 Patch

Vendor Advisory: https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-server-security-2021-update-1-patch/

Restart Required: Yes

Instructions:

1. Download Security 2021 Update 1 patch from My Esri. 2. Stop ArcGIS Server services. 3. Apply the patch following Esri's installation guide. 4. Restart services.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict outbound network access from ArcGIS Server to only necessary destinations

Access Control

all

Implement network ACLs to block external access to ArcGIS Server Manager if not required

🧯 If You Can't Patch

Implement strict egress filtering to limit the server's outbound connections
Place ArcGIS Server behind a WAF configured to detect and block SSRF patterns

🔍 How to Verify

Check if Vulnerable:

Check ArcGIS Server version; if 10.8.1 or earlier and Manager component is accessible, assume vulnerable.

Check Version:

Check ArcGIS Server Administrator Directory at https://<server>:6443/arcgis/admin or review installation logs.

Verify Fix Applied:

Verify patch installation via version check and test that SSRF attempts are blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual outbound requests from ArcGIS Server to internal IPs
Multiple failed authentication attempts followed by external requests

Network Indicators:

ArcGIS Server making unexpected HTTP requests to internal services
Traffic patterns suggesting port scanning from the server

SIEM Query:

source="arcgis-server" AND (url="*://internal*" OR dest_ip=private_ip_range)

📊 Metadata

CVE ID: CVE-2021-29102

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-918

Published: July 11, 2021

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-29102, you might also want to check these: