Patches and updates

Portal for ArcGIS Security 2019 Update 2 Patch

Published: October 10, 2019

Zusammenfassung

Esri empfiehlt allen Kunden, die Portal for ArcGIS 10.7.1, 10.6.1, 10.5.1 und 10.4.1 verwenden, diesen Patch zu installieren.


Beschreibung

Esri® kündigt den Portal for ArcGIS Security 2019 Update 2 Patch an. Esri empfiehlt allen Kunden, die Portal for ArcGIS 10.7.1, 10.6.1, 10.5.1 und 10.4.1 verwenden, diesen Patch zu installieren. Durch diesen Patch werden die Probleme behoben, die unter Mit diesem Patch behobene Probleme beschrieben sind.

Hinweis:Dieser kumulative Sicherheits-Patch enthält einige sicherheitsbezogene und nicht sicherheitsbezogene Bugfixes aus früheren Patches. Die vollständige Liste der mit diesen Patches behobenen Probleme finden Sie im Abschnitt Mit diesem Patch behobene Probleme.

Mit diesem Patch behobene Probleme


  • BUG-000125434: A geoprocessing service with the GPDataFile input type does not provide the option to upload a file in the Web AppBuilder for ArcGIS geoprocessing widget in Portal for ArcGIS 10.7.1.
  • BUG-000125033: Users signed in through Integrated Windows Authentication (IWA) cannot search for layers under My Organization in Map Viewer.
  • BUG-000124953: Portal for ArcGIS application information exposure
  • BUG-000123690: Reflected cross-site scripting (XSS) in the Portal for ArcGIS home application
    CVSS 3.0 Base Score: 5.4 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
  • BUG-000119891: Portal for ArcGIS profiles allow HTML injection (Only in 10.6.1and 10.5.1)
    CVSS 3.0 Base Score: 3.5 - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Um Konflikte zu vermeiden, werden mit Version 10.6.1 auch die folgenden Probleme behoben:
  • BUG-000121145: Portal proxy does not fully validate allowedProxyHosts parameter
    CVSS 3.0 Base Score: 4.0 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N
  • BUG-000120392: Smart Editor Widget Fails to Set Attribute Action Expressions in Portal for ArcGIS 10.6.1
  • BUG-000120333: Reflected cross-site scripting (XSS) in the Portal for ArcGIS home application
    CVSS 3.0 Base Score: 8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • BUG-000120061: Related data points to the same feature in Web AppBuilder for ArcGIS for Portal for ArcGIS when there are multiple relationships to the same feature class.
  • BUG-000117926: Unable to synchronize collaboration workspaces when the guest participant's content directory uses a Cloud Store.
  • BUG-000117564: Privilege escalation vulnerability
  • BUG-000117369: Reflected cross-site scripting (XSS) in item URL
  • BUG-000117367: Un-validated redirect in Portal for ArcGIS
  • BUG-000116870: Unable to share Insights Workbooks, Pages and Model items to Everyone.
  • BUG-000116734: The Attribute Table widget selections are not consistently honored by the Edit widget.
  • BUG-000116687: Temporal filters created from tool parameters in Portal for ArcGIS Map Viewer are incorrectly formatted and cause tool failures.
  • BUG-000115964: The App Launcher becomes unavailable after the external content is disabled.
  • BUG-000115859: Starting at zoom level 18, the selection shape of a selected polygon differs from the shape of the polygon for map services added at the map server level from an ArcGIS Server 10.6.1
  • BUG-000114004: The Show Related Records option in the Attribute Table widget returns no records in the related table.
  • BUG-000112707: Reflected cross-site scripting (XSS) in Portal for ArcGIS Home application.
  • BUG-000112342: The webgisdr incremental restore fails when Geo Analytics Server is federated and registered with Portal as the Geo Analytics Server.
  • ENH-000123305: Include relationship name along with table name to better distinguish different relationships on the same table.
  • ENH-000116621: Add the ability to modify the maximum token expiration time of tokens generated to login to Portal for ArcGIS when using IDP-initiated logins.
Um Konflikte zu vermeiden, werden mit Version 10.5.1 auch die folgenden Probleme behoben:
  • BUG-000122276: Portal item details show 'Shared with: item is not share' when item is shared to a group when logged in using a custom role.
  • BUG-000121145: Portal proxy does not fully validate allowedProxyHosts parameter
    CVSS 3.0 Base Score: 4.0 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N
  • BUG-000120333: Reflected cross-site scripting (XSS) in the Portal for ArcGIS home application
    CVSS 3.0 Base Score: 8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • BUG-000117564: Privilege escalation vulnerability
  • BUG-000117369: Reflected cross-site scripting (XSS) in item URL
  • BUG-000117367: Un-validated redirect in Portal for ArcGIS
  • BUG-000116992: When configuring the Create Buffer analysis tool in the Portal for ArcGIS map viewer, changing the input buffer layer between different geometry types does not correctly refresh the available buffer options.
  • BUG-000114549: The contrast between active and inactive arrows of the extent navigator in Web AppBuilder for ArcGIS must be increased when against dark backgrounds.
  • BUG-000114533: If the Portal restore or upgrade fails, it should roll back to its previous state automatically.
  • BUG-000114489: Keyhole Markup Language (KML) servlet does not fully honor the proxy settings.
  • BUG-000114488: Portal for ArcGIS index service has a security vulnerability.
  • BUG-000113157: Portal for ArcGIS Import Site fails if the backup contains Thumbs.db files.
  • BUG-000112749: Reflected cross-site scripting (XSS) in ArcGIS Online Map Viewer.
  • BUG-000112707: Reflected cross-site scripting (XSS) in Portal for ArcGIS Home application.
  • BUG-000112595: Clicking the email link in the Share widget causes an unwanted browser navigation prompt.
  • BUG-000112477: The Add marker Feature Action does not work as expected.
  • BUG-000112360: Portal for ArcGIS Web Application Builder has a cross-site scripting (XSS) vulnerability.
  • BUG-000112358: Sanitize URLs provided to legend resource to remove invalid characters in SOAP URL.
  • BUG-000112357: Unvalidated redirect in /portal/sharing/login and portal/sharing/rest/login endpoints of Portal for ArcGIS.
  • BUG-000112161: Portal for ArcGIS CityEngine Web Viewer has a reflected cross-site scripting (XSS) issue.
  • BUG-000112088: The Show Table operation in the Portal for ArcGIS 10.5.1 web map does not return the attribute of the image service.
  • BUG-000112059: In Portal for ArcGIS, the Select options of the Buffer tool in the Analysis widget of Web AppBuilder for ArcGIS remains stuck if the hosted feature layers is in the following order: points, polygons, polylines, and back to points.
  • BUG-000112026: After applying the Portal for ArcGIS Security 2018 Update 1 Patch, when signing into Portal for ArcGIS Home application, if a domain user types an incorrect password, all domain users then become locked out of Portal for ArcGIS.
  • BUG-000111942: Symbology is not retained on a shared feature layer when a filter is applied and the layer is accessed by another user to create their own web map.
  • BUG-000111424: Pop-ups display when switching between the Draw, Measurement, and Coordinate widgets.
  • BUG-000111090: Select widget loses selection when using Create Layer functionality on a layer added via the Add Data widget in Web AppBuilder in Portal for ArcGIS.
  • BUG-000111077: Execution Error: Illegal Value Assignment to Feature When Editing Labels in a Portal Web Map with Layer Visibility turned off.
  • BUG-000111058: Arcade Editor makes calls to "fast.fonts.net" domain, causing significant delays in disconnected networks.
  • BUG-000110677: Previously drawn data is not cleared off the screen when zooming out.
  • BUG-000110632: GeoEvent based map and feature services that are related should not become combined together when both are added to the Map Viewer table of contents.
  • BUG-000110542: In Web AppBuilder for ArcGIS, the Create Layer option is not enabled if only one feature is selected. (Not in Doc)
  • BUG-000110291: Portal for ArcGIS should not parse entity tags.
  • BUG-000110290: Remove invalid record entries from the Portal for ArcGIS internal database.
  • BUG-000109870: In the map viewer, vector tiles do not respect visible scale settings when zooming out and polygons are distributed in non-adjacent areas.
  • BUG-000109517: In the 10.5.1 Portal for ArcGIS Map Viewer, the Create Labels panel does not function for map services published from map document with 'Allow assignment of unique numeric IDs for map service publishing' setting specified.
  • BUG-000108753: Portal for ArcGIS configured with portal-tier authentication and automatic account creation enabled will create accounts that exceed the number of licenses available.
  • BUG-000108364: The Add Data widget included in Portal for ArcGIS and the Web App Builder Developer edition returns an error after browsing to a CSV file.
  • BUG-000108155: Endless generateToken requests are triggered in map viewer when token expires for a Portal configured with Integrated Windows Authentication (IWA) and federated with ArcGIS Server.
  • BUG-000107814: Create Labels does not work in Portal for ArcGIS 10.5.1 for ArcGIS Server 10.5.1 Map Services.
  • BUG-000107440: Portal for ArcGIS disallows access to portaladmin when the actual machine name is not listed in the certificate.
  • BUG-000107004: An error message is returned when running the Extract Data Task geoprocessing service in the Web AppBuilder for ArcGIS for Portal for ArcGIS 10.5.1 in Internet Explorer.
  • BUG-000106917: Portal for ArcGIS 10.5.1 Map Viewer does not load the Bing Roads Base Map when HTTPS only is enabled due to certificate mismatch errors on the requested tiles.
  • BUG-000106909: Filtering a map service does not filter the attribute table in the web map.
  • BUG-000106874: Attachments are not preserved in the popup in web maps when using search by layer functionality.
  • BUG-000106303: Portal for ArcGIS does not fully honor the 'domainControllerAddress' setting in the security configuration.
  • BUG-000105202: When accessing a secured service in Portal with saved credentials, the proxied generate token request does not honor the nonProxyHosts parameter.
  • BUG-000105062: The Add Data widget included in Portal for ArcGIS and the Web App Builder Developer edition fails to draw results after browsing to a zipped shapefile.
  • BUG-000104949: Basemaps in the WGS84 coordinate system do not draw in the Item Details Set Extent dialog box.
  • BUG-000103846: Portal for ArcGIS has a hard-coded credential vulnerability.
  • ENH-000103213: Add an option to enforce encrypted communication between Portal for ArcGIS and Active Directory.
Um Konflikte zu vermeiden, werden mit Version 10.4.1 auch die folgenden Probleme behoben:
  • BUG-000121145: Portal proxy does not fully validate allowedProxyHosts parameter
    CVSS 3.0 Base Score: 4.0 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N
  • BUG-000120333: Reflected cross-site scripting (XSS) in the Portal for ArcGIS home application
    CVSS 3.0 Base Score: 8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • BUG-000117564: Privilege escalation vulnerability
  • BUG-000117369: Reflected cross-site scripting (XSS) in item URL
  • BUG-000117367: Un-validated redirect in Portal for ArcGIS
  • BUG-000114489: Keyhole Markup Language (KML) servlet does not fully honor the proxy settings.
  • BUG-000114325: Multiple pages in Portal for ArcGIS 10.3.x and 10.4.x do not display correctly after updating to Chrome 67.
  • BUG-000112749: Reflected cross-site scripting (XSS) in ArcGIS Online Map Viewer.
  • BUG-000112707: Reflected cross-site scripting (XSS) in Portal for ArcGIS Home application.
  • BUG-000112360: Portal for ArcGIS Web Application Builder has a cross-site scripting (XSS) vulnerability.
  • BUG-000112358: Sanitize URLs provided to legend resource to remove invalid characters in SOAP URL.
  • BUG-000112357: Unvalidated redirect in /portal/sharing/login and portal/sharing/rest/login endpoints of Portal for ArcGIS.
  • BUG-000112161: Portal for ArcGIS CityEngine Web Viewer has a reflected cross-site scripting (XSS) issue.
  • BUG-000110291: Portal for ArcGIS should not parse entity tags.
  • BUG-000110290: Remove invalid record entries from the Portal for ArcGIS internal database.
  • BUG-000108753: Portal for ArcGIS configured with portal-tier authentication and automatic account creation enabled will create accounts that exceed the number of licenses available.
  • BUG-000108155: Endless generateToken requests are triggered in map viewer when token expires for a Portal configured with Integrated Windows Authentication (IWA) and federated with ArcGIS Server.
  • BUG-000104718: Tiles for a hosted tile layer from ArcGIS Online are not visible in the Portal for ArcGIS map viewer if the tile layer is added as an item with stored credentials.
  • BUG-000104116: When adding members to Portal for ArcGIS using enterprise logins, users with user names less than six characters are not added even though no such limit actually exists in Portal for ArcGIS.
  • BUG-000103731: In a highly available Portal deployment, the primary node reverts to the 'Create New Site' state, if the primary node loses connection to the content directory.
  • BUG-000103700: Portal login page displays in English instead of default language if 'Allow anonymous access to your portal' is unchecked.
  • BUG-000102927: When a layer is slow to display in the Map Viewer, the message indicating that the layer is unresponsive does not automatically dismiss once the layer draws.
  • BUG-000102793: Large Active Directory group structures cause latency issues with Portal for ArcGIS.
  • BUG-000101562: Unable to access Portal for ArcGIS's "Edit Settings" option when using the Java Web Adaptor with Apache Tomcat 7.0.73+ or 8.0.39+.
  • BUG-000100424: The Web AppBuilder for ArcGIS Geoprocessing widget fails to display the output table when the geoprocessing service is published with the 'View result with a map service' parameter.
  • BUG-000100420: The check box for layers in the Layer List widget does not work after refreshing or launching the application again for map service feature layers when the group layer is unchecked and the sub layers are checked.
  • BUG-000099447: Unable to upload files in the Portal home application after updating the browser to Firefox 49 or Chrome 54.
  • BUG-000098559: Un-validated redirect in Portal for ArcGIS.
  • BUG-000098482: Cross-site scripting (XSS) issue in Portal for ArcGIS.
  • BUG-000098148: Refresh membership for enterprise users and groups fails to honor nested group membership in universal groups.
  • BUG-000098118: Portal for ArcGIS exposes internal information.
  • BUG-000098025: Bypass of URL redirection rule in Portal for ArcGIS.
  • BUG-000097777: Support SAML logins to Portal for ArcGIS when a reverse proxy is defined using the WebContextURL property.
  • BUG-000096571: The secure attribute is not present on a cookie in Portal for ArcGIS.
  • BUG-000096570: Reflected cross-site scripting (XSS) is possible in Portal for ArcGIS.
  • BUG-000096161: Error "unable to refresh item" is returned when performing analysis using the spatial analysis tools in Portal for ArcGIS Map viewer. This error occurs when ArcGIS Web Adaptor (or any reverse proxy) is on a machine different from the Hosting ArcGIS Server.
  • BUG-000094537: Active Directory users who belong to an enterprise group with the same name as a group within a different domain are granted access to Portal for ArcGIS 10.4 even if they do not belong to the group.
  • BUG-000094523: Cross Domain users cannot see which Enterprise groups they are a member of within Portal for ArcGIS 10.4.
  • BUG-000091316: Some Portal upload operations do not validate file type correctly.
  • ENH-000103213: Add an option to enforce encrypted communication between Portal for ArcGIS and Active Directory.
  • ENH-000092759: Support enterprise usernames with a minimum length of 3 characters.
  • NIM104313: Logging out an enterprise user in Portal for ArcGIS does not propagate the user logout to the corresponding SAML Identity Provider.

Installieren dieses Patch unter Windows


Installationsschritte:


Das in der Tabelle aufgeführte ArcGIS-Produkt muss auf Ihrem System installiert sein, bevor Sie einen Patch installieren können. Jede Patch-Installation kann nur für das in der Liste aufgeführte ArcGIS-Produkt verwendet werden. Um zu ermitteln, welche Produkte auf Ihrem System installiert sind, lesen Sie den Abschnitt Ermitteln der installierten ArcGIS-Produkte. Esri empfiehlt, für jedes auf Ihrem System installierte Produkt den entsprechenden Patch zu installieren.

  1. Laden Sie die entsprechende Datei an einen anderen Speicherort als den ArcGIS-Installationsspeicherort herunter.

  2. ArcGIS 10.7.1   Prüfsumme (Md5)
         
        Portal for ArcGIS Wichtiger Hinweis: Dieser Download wurde deaktiviert. Der Download wird durch den Portal for ArcGIS 10.7.1 High Availability Licensing Patch ersetzt, und Esri empfiehlt allen Kunden, die Portal for ArcGIS 10.7.1 verwenden, einschließlich Benutzern, die diesen Patch bereits installiert haben, den Portal for ArcGIS 10.7.1 High Availability Licensing Patch sobald wie möglich zu installieren. Linux-Setups waren nicht betroffen.
         
    ArcGIS 10.6.1   Prüfsumme (Md5)
         
        Portal for ArcGIS ArcGIS-1061-PFA-SEC2019U2-Patch.msp 4DF1BDBC57DFFD668F0FEBFCCB7E53CE
         
    ArcGIS 10.5.1   Prüfsumme (Md5)
         
        Portal for ArcGIS ArcGIS-1051-PFA-SEC2019U2-Patch.msp 1898615626019110507227D597FA28A4
         
    ArcGIS 10.4.1   Prüfsumme (Md5)
         
        Portal for ArcGIS ArcGIS-1041-PFA-SEC2019U2-Patch.msp 0B2960C80F30BC9BC67A86274CF642EF
         

  3. Stellen Sie sicher, dass Sie Schreibzugriff auf das ArcGIS-Installationsverzeichnis besitzen.

  4. Doppelklicken Sie auf "ArcGIS-<Version>-PFA-SEC2019U2-Patch.msp", um das Setup zu starten.

    HINWEIS: Wird durch Doppelklicken auf die MSP-Datei die Setup-Installation nicht gestartet, können Sie die Setup-Installation mit dem folgenden Befehl manuell starten:

    msiexec.exe /p [Speicherort des Patch]\ArcGIS-<Version>-PFA-SEC2019U2-Patch.msp


Installieren dieses Patch unter Linux


Installationsschritte:


Führen Sie die folgenden Installationsschritte als Besitzer der ArcGIS-Installation aus. Der Besitzer der Installation ist der Besitzer des ArcGIS-Ordners.

Das in der Tabelle aufgeführte ArcGIS-Produkt muss auf Ihrem System installiert sein, bevor Sie einen Patch installieren können. Jede Patch-Installation kann nur für das in der Liste aufgeführte ArcGIS-Produkt verwendet werden. Um zu ermitteln, welche Produkte auf Ihrem System installiert sind, lesen Sie den Abschnitt Ermitteln der installierten ArcGIS-Produkte. Esri empfiehlt, für jedes auf Ihrem System installierte Produkt den entsprechenden Patch zu installieren.

  1. Laden Sie die entsprechende Datei an einen anderen Speicherort als den ArcGIS-Installationsspeicherort herunter.


    ArcGIS 10.7.1   Prüfsumme (Md5)
         
        Portal for ArcGIS ArcGIS-1071-PFA-SEC2019U2-Patch-linux.tar E41EF16E60D1487FDAE27AEE1F487BF7
         
    ArcGIS 10.6.1   Prüfsumme (Md5)
         
        Portal for ArcGIS ArcGIS-1061-PFA-SEC2019U2-Patch-linux.tar AA6E3E03718E54F498555DEADF03CC34
         
    ArcGIS 10.5.1   Prüfsumme (Md5)
         
        Portal for ArcGIS ArcGIS-1051-PFA-SEC2019U2-Patch-linux.tar F290506B28C74ED692BAAED1FFD7AC4D
         
    ArcGIS 10.4.1   Prüfsumme (Md5)
         
        Portal for ArcGIS ArcGIS-1041-PFA-SEC2019U2-Patch-linux.tar 0A5EE30EF61D068607F9A7F7F0C2AB51
         

  2. Stellen Sie sicher, dass Sie Schreibzugriff auf das ArcGIS-Installationsverzeichnis haben und ArcGIS durch keinen anderen Benutzer verwendet wird.

  3. Extrahieren Sie die jeweilige TAR-Datei durch Eingabe des folgenden Befehls:

    % tar -xvf ArcGIS-<Version>-PFA-SEC2019U2-Patch-linux.tar

  4. Starten Sie die Installation durch die Eingabe des folgenden Befehls:

    % ./applypatch

    Es erscheint ein Dialogfeld für die menügesteuerte Installation. Die Standardauswahloptionen sind in Klammern ( ) angegeben. Die Installation kann jederzeit durch die Eingabe von "q" abgebrochen werden.

Deinstallieren dieses Patch unter Windows


  • Um diesen Patch unter Windows zu deinstallieren, öffnen Sie die Windows-Systemsteuerung und navigieren Sie zu "Programme und Funktionen". Stellen Sie sicher, dass "Installierte Updates anzeigen" (links oben im Dialogfeld "Programme und Funktionen") aktiv ist. Wählen Sie den Patch-Namen in der Liste der Programme aus und klicken Sie auf "Deinstallieren", um den Patch zu entfernen.

Deinstallieren dieses Patch unter Linux


Dieser Patch kann nur bei Version 10.6 und höher deinstalliert werden. Um diesen Patch zu entfernen, navigieren Sie zum Verzeichnis "/tmp" und führen das folgende Skript als Besitzer der ArcGIS-Installation aus:

./patchremove

Hinweise: Sie können nur den zuletzt installierten Patch entfernen.

Aktuelle Informationen zu Patches

Prüfen Sie auf der Seite Patches und Service Packs regelmäßig, ob zusätzliche Patches zur Verfügung stehen. Neue Informationen zu diesem Patch werden hier veröffentlicht.

19. März 2020: Der Download des Windows-Setups 10.7.1 wurde deaktiviert. Nähere Informationen bietet der wichtige Hinweis im Download-Abschnitt.

Ermitteln der installierten ArcGIS-Produkte

Um zu ermitteln, welche ArcGIS-Produkte auf dem Rechner installiert sind, wählen Sie die entsprechende Version des PatchFinder-Dienstprogramms für Ihre Umgebung, und führen Sie sie auf dem lokalen Computer aus. PatchFinder listet alle installierten Produkte, Hotfixes und Patches auf dem lokalen Computer auf.

Support anfordern

US-Kunden wenden sich bitte an den technischen Support von Esri unter +1 888 377 4575, falls Probleme beim Installieren des Patch auftreten. Kunden außerhalb der USA wenden sich bitte an den jeweiligen Esri Softwaredistributor vor Ort.



Download ID:7749

Get help from ArcGIS experts

Contact technical support

Download the Esri Support App

Go to download options