Portal for ArcGIS Security 2017 Update 1 Patch

Summary

This security patch addresses multiple security vulnerabilities found in Portal for ArcGIS. Esri recommends that all customers using Portal for ArcGIS 10.4.1 and 10.4 apply this patch.

Description

Introduction

Esri® announces the Portal for ArcGIS Security 2017 Update 1 Patch. Esri recommends that all customers using Portal for ArcGIS 10.4.1 and 10.4 apply this patch. This patch deals specifically with the issues listed below under Issues Addressed with this patch.

This security patch is cumulative and includes several non-security related fixes from an earlier patch that are also listed below under Issues Addressed with this Patch.


Issues Addressed with this patch


  • BUG-000098559 – Un-validated redirect in Portal for ArcGIS.
  • BUG-000098482 - Cross-site scripting (XSS) issue in Portal for ArcGIS.
  • BUG-000098118 - Portal for ArcGIS exposes internal information.
  • BUG-000098025 - Bypass of URL redirection rule in Portal for ArcGIS.
  • BUG-000096571 - The secure attribute is not present on a cookie in Portal for ArcGIS.
  • BUG-000096570 - Reflected cross-site scripting (XSS) is possible in Portal for ArcGIS.
  • BUG-000091316 - Some Portal upload operations do not validate file type correctly.

To avoid conflicts with existing patches, the 10.4.1 version patch also addresses these issues:

  • BUG-000099447 - Unable to upload files in the Portal home application after updating the browser to Firefox 49 or Chrome 54.
  • BUG-000098148 - Refresh membership for enterprise users and groups fails to honor nested group membership in universal groups.
  • BUG-000096161 - Error "unable to refresh item" is returned when performing analysis using the spatial analysis tools in Portal for ArcGIS Map viewer. This error occurs when ArcGIS Web Adaptor (or any reverse proxy) is on a machine different from the Hosting ArcGIS Server.
  • BUG-000094537- Active Directory users who belong to an enterprise group with the same name as a group within a different domain are granted access to Portal for ArcGIS 10.4 even if they do not belong to the group.
  • BUG-000094523 - Cross Domain users cannot see which Enterprise groups they are a member of within Portal for ArcGIS 10.4.
  • NIM104313 - Logging out an enterprise user in Portal for ArcGIS does not propagate the user logout to the corresponding SAML Identity Provider.
To avoid conflicts with existing patches, the 10.4 version patch also addresses these issues:

  • BUG-000099447 - Unable to upload files or create groups in the Portal home application after updating the browser to Firefox 49, Chrome 54, or Safari 10.
  • BUG-000094214 - Unable to import ArcGIS Pro entitlements to Portal for ArcGIS 10.4.

Installing this patch on Windows


Installation Steps:


Portal for ArcGIS 10.4.1 or 10.4 must be installed before installing this patch.

  1. Download the appropriate file to a location other than your ArcGIS installation location.

  2. Portal for ArcGIS 10.4.1   Checksum (Md5)
         
         Portal for ArcGIS ArcGIS-1041-PFA-SEC2017U1-Patch.msp CB4FBF0F564B566731BC8FE78C4A653B
         
    Portal for ArcGIS 10.4   Checksum (Md5)
         
         Portal for ArcGIS ArcGIS-104-PFA-SEC2017U1-Patch.msp A00263A131C9571017294FBA51BC37FE
         

  3. Make sure you have write access to your ArcGIS installation location.

  4. Double-click ArcGIS-<Version>-PFA-SEC2017U1-Patch.msp to start the setup process.

    NOTE: If double clicking on the MSP file does not start the setup installation, you can start the setup installation manually by using the following command:

    msiexec.exe /p [location of Patch]\ArcGIS-<Version>-PFA-SEC2017U1-Patch.msp


Installing this patch on Linux


Installation Steps:


Complete the following install steps as the ArcGIS Install owner. The Install owner is the owner of the arcgis folder.

ArcGIS for Portal 10.4.1 or 10.4 must be installed before installing this patch.

  1. Download the appropriate file to a location other than your ArcGIS installation location.


    ArcGIS 10.4.1   Checksum (Md5)
         
         Portal for ArcGIS ArcGIS-1041-PFA-SEC2017U1-Patch-linux.tar 0975764E596C73D5AA1B5570011FC4A8
         
    ArcGIS 10.4   Checksum (Md5)
         
         Portal for ArcGIS ArcGIS-104-PFA-SEC2017U1-Patch-linux.tar 9450A0D74074AE8FB676612BD9806581
         

  2. Make sure you have write access to your ArcGIS installation location, and that no one is using ArcGIS.

  3. Extract the specified tar file by typing:

    % tar -xvf ArcGIS-<Version>-PFA-SEC2017U1-Patch-lx.tar

  4. Start the installation by typing:

    % ./applypatch

    This will start the dialog for the menu-driven installation procedure. Default selections are noted in parentheses ( ). To quit the installation procedure, type 'q' at any time.

Patch Updates

Check the Patches and Service Packs page periodically for the availability of additional patches. New information about this patch will be posted here.

January 19, 2017: Portal for ArcGIS 10.4.1 download is now available.

How to identify which ArcGIS products are installed

To determine which ArcGIS products are installed, choose the appropriate version of the PatchFinder utility for your environment and run it from your local machine. PatchFinder will list all products, hot fixes, and patches installed on your local machine.

Getting Help

Domestic sites, please contact Esri Technical Support at 1-888-377-4575, if you have any difficulty installing this patch. International sites, please contact your local Esri software distributor.