English

Portal for ArcGIS 10.3.1 Security 2016 Update 1 Patch

Summary

This security patch addresses a security vulnerability found in Portal for ArcGIS. Esri recommends that all customers using Portal for ArcGIS 10.3.1 apply this patch.

Description

Introduction

Esri® announces the Portal for ArcGIS 10.3.1 Security 2016 Update 1 Patch. This patch addresses an insecure method of generating a token that could allow the username or password to be captured. Esri recommends that all customers using Portal for ArcGIS 10.3.1 apply this patch. This patch deals specifically with the issues listed below under Issues Addressed with this patch.


Issues Addressed with this patch


  • BUG-000094105 - Portal generateToken operation fails to reject POST requests which contain the username or password in the query parameter.

To avoid conflicts with existing patches, this patch also addresses these issues:
  • BUG-000090552 - When editing the URL settings of an item in Portal for ArcGIS 10.3.1, the item URL does not save and reverts back to the original.

  • BUG-000091354 - Portal fails to refresh membership for users outside of the domain that the Portal server resides in.

  • BUG-000088826 - After upgrading from 10.3 or earlier, passwords for built-in portal accounts in Portal for ArcGIS cannot be changed by the user.

  • BUG-000088682 - When Portal is configured to be SSL Only, Web AppBuilder URLs are saved as HTTP instead of HTTPs.

  • BUG-000085589 - Unable to display map layers added directly to a Portal Web Map when both Portal and ArcGIS Server are configured to use Integrated Windows Authentication (IWA) and both Web Adaptors are deployed on the same server.

  • BUG-000088505 - Portal highly available configuration should not be reset to standalone Portal if the shared content folder is not available.

  • BUG-000086481 - Incorrect geometries are displayed when reprojecting a hosted service in the map viewer.

  • BUG-000084180 - In Portal for ArcGIS when editing a user profile First Name and Last Name text fields always shows as blank under the Edit My Profile page.

Installing this patch on Windows


Installation Steps:


Portal for ArcGIS 10.3.1 must be installed before installing this patch.

  1. Download the appropriate file to a location other than your ArcGIS installation location.

  2. Portal for ArcGIS 10.3.1   Checksum (Md5)
         
         Portal for ArcGIS ArcGIS-1031-PFA-SEC2016U1-Patch.msp 4744B968BF1EA883E60189A157DDC07A
         

  3. Make sure you have write access to your ArcGIS installation location.

  4. Double-click ArcGIS-1031-PFA-SEC2016U1-Patch.msp to start the setup process.

    NOTE: If double clicking on the MSP file does not start the setup installation, you can start the setup installation manually by using the following command:

    msiexec.exe /p [location of Patch]\ArcGIS-1031-PFA-SEC2016U1-Patch.msp


Installing this patch on Linux


Installation Steps:


Complete the following install steps as the ArcGIS Install owner. The Install owner is the owner of the arcgis folder.

ArcGIS 10.3.1 for Server (Linux) must be installed before installing this patch.

  1. Download the appropriate file to a location other than your ArcGIS installation location.


    ArcGIS 10.3.1   Checksum (Md5)
         
         Portal for ArcGIS ArcGIS-1031-PFA-SEC2016U1-Patch-linux.tar DF7B1BD79D1D080CE9A264DF22FA0B06
         

  2. Make sure you have write access to your ArcGIS installation location, and that no one is using ArcGIS.

  3. Extract the specified tar file by typing:

    % tar -xvf ArcGIS-1031-PFA-SEC2016U1-Patch-lx.tar

  4. Start the installation by typing:

    % ./applypatch

    This will start the dialog for the menu-driven installation procedure. Default selections are noted in parentheses ( ). To quit the installation procedure, type 'q' at any time.

Patch Updates

Check the Patches and Service Packs page periodically for the availability of additional patches. New information about this patch will be posted here.

How to identify which ArcGIS products are installed

To determine which ArcGIS products are installed, choose the appropriate version of the PatchFinder utility for your environment and run it from your local machine. PatchFinder will list all products, hot fixes, and patches installed on your local machine.

Getting Help

Domestic sites, please contact Esri Technical Support at 1-888-377-4575, if you have any difficulty installing this patch. International sites, please contact your local Esri software distributor.