CVE-2021-29114 – A critical SQL injection vulnerability in Esri ... (How to Fix)

Q: What is the severity of CVE-2021-29114?

CVE-2021-29114 has a CVSS score of 9.8 (CRITICAL). A critical SQL injection vulnerability in Esri ArcGIS Server feature services allows remote unauthenticated attackers to execute arbitrary SQL commands. This can lead to data theft, data manipulation, or service disruption. Organizations running ArcGIS Server 10.9 or earlier are affected.

📋 TL;DR

A critical SQL injection vulnerability in Esri ArcGIS Server feature services allows remote unauthenticated attackers to execute arbitrary SQL commands. This can lead to data theft, data manipulation, or service disruption. Organizations running ArcGIS Server 10.9 or earlier are affected.

💻 Affected Systems

Products:

Esri ArcGIS Server

Versions: 10.9 and below

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Affects feature services specifically; other services may not be vulnerable.

📦 What is this software?

Arcgis Server by Esri

View all CVEs affecting Arcgis Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the database backend, including data exfiltration, data destruction, and potential lateral movement to other systems.

🟠

Likely Case

Unauthorized data access and manipulation of GIS feature data, potentially leading to data integrity issues and service disruption.

🟢

If Mitigated

Limited impact with proper network segmentation and database permissions, though service availability could still be affected.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection vulnerabilities are commonly exploited; unauthenticated access makes this particularly dangerous.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply Security 2021 Update 2 patch

Vendor Advisory: https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-server-security-2021-update-2-patch-is-now-available

Restart Required: Yes

Instructions:

1. Download Security 2021 Update 2 patch from Esri. 2. Stop ArcGIS Server services. 3. Apply the patch according to Esri documentation. 4. Restart services and verify functionality.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict access to ArcGIS Server to trusted networks only

Web Application Firewall

all

Deploy WAF with SQL injection protection rules

🧯 If You Can't Patch

Implement strict network access controls to limit exposure
Monitor for suspicious SQL queries in database and application logs

🔍 How to Verify

Check if Vulnerable:

Check ArcGIS Server version; if 10.9 or earlier, assume vulnerable unless patched.

Check Version:

Check via ArcGIS Server Administrator Directory REST endpoint or installation logs

Verify Fix Applied:

Verify patch installation via ArcGIS Server Administrator Directory or version check.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed feature service requests with SQL-like patterns

Network Indicators:

Unusual traffic patterns to feature service endpoints
SQL error messages in HTTP responses

SIEM Query:

source="arcgis_logs" AND ("SQL" OR "syntax" OR "injection")

📊 Metadata

CVE ID: CVE-2021-29114

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: December 7, 2021

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-29114, you might also want to check these: