English

Portal for ArcGIS Security (January 2015) Patch

Summary

This security patch addresses vulnerabilities found in Portal for ArcGIS. Esri recommends that all customers using Portal for ArcGIS 10.2.1 and 10.2.2 apply this patch. Customers who are using 10.2 should first upgrade to 10.2.1 or 10.2.2.

Description

Introduction

Esri® announces the Portal for ArcGIS Security (January 2015) Patch. Esri recommends that all customers using Portal for ArcGIS 10.2.1 and 10.2.2 apply this patch. This patch addresses the SSLv3 (POODLE) vulnerability, two cross-site scripting vulnerabilities and secures the Portal proxy capability. It deals specifically with the issues listed below under Issues Addressed with this Patch.


Esri strongly recommends the installation of the latest security patches on all products. If you are using the ArcGIS Web Adaptor for Java, you must also install the ArcGIS Web Adaptor for Java (January 2015) Security Patch.


Issues Addressed with this patch


  • BUG-000082666 - Disable SSLv3 to prevent CVE-2014-3566 "POODLE" vulnerability.

  • BUG-000083072 - Reflected cross-site scripting (XSS) vulnerability in Portal for ArcGIS.

  • BUG-000082294 - Reflected cross-site scripting (XSS) vulnerability in Portal for ArcGIS.

  • Note: Both BUG-000083072 and BUG-000082294 deal with XSS issues: one in the login control and one in redirect logic.

  • NIM104047 - Secure Portal for ArcGIS' proxy capability.

To avoid conflicts with existing patches, the 10.2.2 patch also addresses these issues:
  • NIM103102 - When adding a GIS tier secured ArcGIS for Server map service under 'My Content' in Portal for ArcGIS, the option to save credentials is available but when selected, the credentials are not saved.

  • NIM099352 - Unable to save credentials for ArcGIS for Server-based content being added to Portal from ArcGIS when the desired service is secured with Windows authentication.

  • NIM104456 - Certain Portal operations fails to use the forward proxy server information defined in the system properties.

To avoid conflicts with existing patches, the 10.2.1 patch also addresses these issues:
  • NIM095781 - Unable to add a KML file as an item to a PKI secured portal.

  • NIM096607 - Add support for configuring forward proxy server information in portals service proxy.

  • NIM099276 - Portal proxy should consider DNS Name in Subject Alternative Name when validating a SSL certificate.

  • NIM099073 - When Portal for ArcGIS is authorized with a perpetual license, the Membership Count table on the 'My Organization' page does not display.

Installing this patch on Windows

Installation Steps:

Portal for ArcGIS must be installed before installing this patch.

  1. Download the appropriate file to a location other than your Portal for ArcGIS installation location.

  2.     Checksum (Md5)
    Portal for ArcGIS 10.2.1 ArcGIS-1021-PFA-SEC-JAN2015-Patch.msp 2D5F5D4D6FCE5D1A713D5D2EFE6C0D82
         
    Portal for ArcGIS 10.2.2 ArcGIS-1022-PFA-SEC-JAN2015-Patch.msp 7186D407962C38E4E307469A1B8EBF57
         

  3. Make sure you have write access to your ArcGIS installation location.

  4. Double-click ArcGIS-<Version>-PFA-SEC-JAN2015-Patch.msp to start the setup process.

    NOTE: If double clicking on the MSP file does not start the setup installation, you can start the setup installation manually by using the following command:

    msiexec.exe /p [location of Patch]\ArcGIS-<Version>-PFA-SEC-JAN2015-Patch.msp

Installing this patch on Linux

Installation Steps:

Complete the following install steps as the Portal for ArcGIS Install owner. The Install owner is the owner of the arcgis folder.

Portal for ArcGIS must be installed before installing this patch.

  1. Download the appropriate file to a location other than your Portal for ArcGIS installation location.


        Checksum (Md5)
    Portal for ArcGIS 10.2.1 ArcGIS-1021-PFA-SEC-JAN2015-Patch-lx.tar 7F8BD4C049BEDE9A09534619E785E3DD
         
    Portal for ArcGIS 10.2.2 ArcGIS-1022-PFA-SEC-JAN2015-Patch-lx.tar FF17CDDB6664BB4ACF3766C972BD1A2E
         

  2. Make sure you have write access to your Portal for ArcGIS installation location, and that no one is using Portal for ArcGIS.

  3. Extract the specified tar file by typing:

    % tar -xvf ArcGIS-<Version>-PFA-SEC-JAN2015-Patch-lx.tar

  4. Start the installation by typing:

    % ./applypatch

    This will start the dialog for the menu-driven installation procedure. Default selections are noted in parentheses ( ). To quit the installation procedure, type 'q' at any time.

Uninstalling this patch

To uninstall this patch on Windows, open the Windows Control Panel and navigate to installed programs. Make sure that "View installed updates" (upper left side of the Programs and Features dialog) is active. Select the Portal for ArcGIS Security (January 2015) Patch from the programs list and click Uninstall to remove the patch.

To uninstall this patch on Linux, you will need to completely uninstall the Portal for ArcGIS product. For more information regarding uninstalling Portal for ArcGIS on Linux please see the Uninstalling Portal for ArcGIS on Linux page.

Patch Updates

Check the Patches and Service Packs page periodically for the availability of additional patches. New information about this patch will be posted here.

February 17, 2015: The Portal for ArcGIS 10.2.1 Security January 2015 Patch was temporarily removed to resolve an issue with the federation of servers that use self-signed certificates and an issue with the patch un-installer. If you installed this patch prior to February 17, 2015, you will need to follow the instructions for Uninstalling this patch and then re-install.

February 18, 2015: The Portal for ArcGIS 10.2.2 version is now released.

How to identify which ArcGIS products are installed

To determine which ArcGIS products are installed, choose the appropriate version of the PatchFinder utility for your environment and run it from your local machine. PatchFinder will list all products, hot fixes, and patches installed on your local machine.

Getting Help

Domestic sites, please contact Esri Technical Support at 1-888-377-4575, if you have any difficulty installing this patch. International sites, please contact your local Esri software distributor.