Portal for ArcGIS 2018 Update 2-Sicherheits-Patch

Mit diesem Sicherheits-Patch werden mehrere Sicherheitslücken in Portal for ArcGIS geschlossen. Esri empfiehlt, dass alle Kunden, die Portal for ArcGIS 10.5.1, 10.4.1 und 10.3.1 verwenden, diesen Patch installieren.

Esri® kündigt den Portal for ArcGIS 2018 Update 2-Sicherheits-Patch an. Esri empfiehlt, dass alle Kunden, die Portal for ArcGIS 10.5.1, 10.4.1 und 10.3.1 verwenden, diesen Patch installieren. Durch diesen Patch werden die Probleme behoben, die unter "Mit diesem Patch behobene Probleme" beschrieben sind. Dieser kumulative Sicherheits-Patch enthält einige nicht sicherheitsbezogene Problembehebungen aus einem früheren Patch, die auch unter "Mit diesem Patch behobene Probleme" beschrieben sind. Durch ihn werden die Probleme behoben, die unter Mit diesem Patch behobene Probleme beschrieben sind.

Mit diesem Patch behobene Probleme

• BUG-000114533 - If the Portal restore or upgrade fails, it should roll back to its previous state automatically.
• BUG-000114489 - Incorrect proxy access control vulnerability.
• BUG-000114488 - Weak storage of sensitive information vulnerability in Portal for ArcGIS. (Nur Portal for ArcGIS 10.5.1)
• BUG-000112749 - Reflected cross-site scripting (XSS) vulnerability in Portal for ArcGIS.
• BUG-000112358 - Reflected cross-site scripting (XSS) vulnerability in Portal for ArcGIS.
• BUG-000112360 - Stored cross-site scripting (XSS) vulnerability in Portal for ArcGIS. (Nur Portal for ArcGIS 10.5.1)
• BUG-000112357 - Un-validated redirect in Portal for ArcGIS.
• BUG-000112161 - Reflected cross-site scripting (XSS) vulnerability in Portal for ArcGIS.

Um Konflikte zu vermeiden, werden mit Version 10.5.1 auch die folgenden Probleme behoben:

• BUG-000113157 - Portal for ArcGIS Import Site fails if the backup contains Thumbs.db files.
• BUG-000112088 - The Show Table operation in the Portal for ArcGIS 10.5.1 web map does not return the attribute of the image service.
• BUG-000112026 - After applying the Portal for ArcGIS Security 2018 Update 1 Patch, when signing into Portal for ArcGIS Home application, if a domain user types an incorrect password, all domain users then become locked out of Portal for ArcGIS.
• BUG-000111942 - Symbology is not retained on a shared feature layer when a filter is applied and the layer is accessed by another user to create their own web map.
• BUG-000111090 - Select widget loses selection when using Create Layer functionality on a layer added via the Add Data widget in Web AppBuilder in Portal for ArcGIS.
• BUG-000111077 - Execution Error: Illegal Value Assignment to Feature When Editing Labels in a Portal Web Map with Layer Visibility turned off.
• BUG-000111058 - Arcade Editor makes calls to "fast.fonts.net" domain, causing significant delays in disconnected networks.
• BUG-000110632 - GeoEvent based map and feature services that are related should not become combined together when both are added to the Map Viewer table of contents.
• BUG-000110542 - In Web AppBuilder for ArcGIS, the Create Layer option is not enabled if only one feature is selected.
• BUG-000110291 - Portal for ArcGIS should not parse entity tags.
• BUG-000110290 - Remove invalid record entries from the Portal for ArcGIS internal database.
• BUG-000109870 - In the map viewer, vector tiles do not respect visible scale settings when zooming out and polygons are distributed in non-adjacent areas.
• BUG-000109517 - In the 10.5.1 Portal for ArcGIS Map Viewer, the Create Labels panel does not function for map services published from map document with 'Allow assignment of unique numeric IDs for map service publishing' setting specified.
• BUG-000108753 - Portal for ArcGIS configured with portal-tier authentication and automatic account creation enabled will create accounts that exceed the number of licenses available.
• BUG-000108155 - Endless generateToken requests are triggered in map viewer when token expires for a Portal configured with Integrated Windows Authentication (IWA) and federated with ArcGIS Server.
• BUG-000107814 - Create Labels does not work in Portal for ArcGIS 10.5.1 for ArcGIS Server 10.5.1 Map Services.
• BUG-000107440 - Portal for ArcGIS disallows access to portaladmin when the actual machine name is not listed in the certificate.
• BUG-000107004 - An error message is returned when running the Extract Data Task geoprocessing service in the Web AppBuilder for ArcGIS for Portal for ArcGIS 10.5.1 in Internet Explorer.
• BUG-000106917 - Portal for ArcGIS 10.5.1 Map Viewer does not load the Bing Roads Base Map when HTTPS only is enabled due to certificate mismatch errors on the requested tiles.
• BUG-000106909 - Filtering a map service does not filter the attribute table in the web map.
• BUG-000106874 - Attachments are not preserved in the popup in web maps when using search by layer functionality.
• BUG-000106303 - Portal for ArcGIS does not fully honor the 'domainControllerAddress' setting in the security configuration.
• BUG-000105202 - When accessing a secured service in Portal with saved credentials, the proxied generate token request does not honor the nonProxyHosts parameter.
• BUG-000104949 - Basemaps in the WGS84 coordinate system do not draw in the Item Details Set Extent dialog box.
• BUG-000103846 - Portal for ArcGIS has a hard-coded credential vulnerability.

Um Konflikte zu vermeiden, werden mit Version 10.4.1 auch die folgenden Probleme behoben:

• BUG-000114325 - Multiple pages in Portal for ArcGIS 10.3.x and 10.4.x do not display correctly after updating to Chrome 67.
• BUG-000110291 - Portal for ArcGIS should not parse entity tags.
• BUG-000110290 - Remove invalid record entries from the Portal for ArcGIS internal database.
• BUG-000108753 - Portal for ArcGIS configured with portal-tier authentication and automatic account creation enabled will create accounts that exceed the number of licenses available.
• BUG-000108155 - Endless generateToken requests are triggered in map viewer when token expires for a Portal configured with Integrated Windows Authentication (IWA) and federated with ArcGIS Server.
• BUG-000104116 - When adding members to Portal for ArcGIS using enterprise logins, users with user names less than six characters are not added even though no such limit actually exists in Portal for ArcGIS.
• BUG-000104718 - Tiles for a hosted tile layer from ArcGIS Online are not visible in the Portal for ArcGIS map viewer if the tile layer is added as an item with stored credentials.
• BUG-000103731 - In a highly available Portal deployment, the primary node reverts to the 'Create New Site' state, if the primary node loses connection to the content directory.
• BUG-000103700 - Portal login page displays in English instead of default language if 'Allow anonymous access to your portal' is unchecked.
• BUG-000102927 - When a layer is slow to display in the Map Viewer, the message indicating that the layer is unresponsive does not automatically dismiss once the layer draws.
• BUG-000102793 - Large Active Directory group structures cause latency issues with Portal for ArcGIS.
• BUG-000101562 - Unable to access Portal for ArcGIS's "Edit Settings" option when using the Java Web Adaptor with Apache Tomcat 7.0.73+ or 8.0.39+.
• BUG-000100420 - The check box for layers in the Layer List widget does not work after refreshing or launching the application again for map service feature layers when the group layer is unchecked and the sub layers are checked.
• BUG-000100424 - The Web AppBuilder for ArcGIS Geoprocessing widget fails to display the output table when the geoprocessing service is published with the 'View result with a map service' parameter.
• BUG-000099447 - Unable to upload files in the Portal home application after updating the browser to Firefox 49 or Chrome 54.
• BUG-000098148 - Refresh membership for enterprise users and groups fails to honor nested group membership in universal groups.
• BUG-000098559 – Un-validated redirect in Portal for ArcGIS.
• BUG-000098482 - Cross-site scripting (XSS) issue in Portal for ArcGIS.
• BUG-000098118 - Portal for ArcGIS exposes internal information.
• BUG-000098025 - Bypass of URL redirection rule in Portal for ArcGIS.
• BUG-000097777 - Support SAML logins to Portal for ArcGIS when a reverse proxy is defined using the WebContextURL property.
• BUG-000096571 - The secure attribute is not present on a cookie in Portal for ArcGIS.
• BUG-000096570 - Reflected cross-site scripting (XSS) is possible in Portal for ArcGIS.
• BUG-000096161 - Error "unable to refresh item" is returned when performing analysis using the spatial analysis tools in Portal for ArcGIS Map viewer. Dieser Fehler tritt auf, wenn sich ArcGIS Web Adaptor (oder ein Reverseproxy) auf einem anderen Computer als dem Hosting-ArcGIS-Server befindet.
• BUG-000094537- Active Directory users who belong to an enterprise group with the same name as a group within a different domain are granted access to Portal for ArcGIS 10.4 even if they do not belong to the group.
• BUG-000094523 - Cross Domain users cannot see which Enterprise groups they are a member of within Portal for ArcGIS 10.4.
• BUG-000091316 - Some Portal upload operations do not validate file type correctly.
• ENH-000092759 - Support enterprise usernames with a minimum length of 3 characters.
• NIM104313 - Logging out an enterprise user in Portal for ArcGIS does not propagate the user logout to the corresponding SAML Identity Provider.

Um Konflikte zu vermeiden, werden mit Version 10.3.1 auch die folgenden Probleme behoben:

• BUG-000114325 - Multiple pages in Portal for ArcGIS 10.3.x and 10.4.x do not display correctly after updating to Chrome 67.
• BUG-000110291 - Portal for ArcGIS should not parse entity tags.
• BUG-000110290 - Remove invalid record entries from the Portal for ArcGIS internal database.
• BUG-000108753 - Portal for ArcGIS configured with portal-tier authentication and automatic account creation enabled will create accounts that exceed the number of licenses available.
• BUG-000108155 - Endless generateToken requests are triggered in map viewer when token expires for a Portal configured with Integrated Windows Authentication (IWA) and federated with ArcGIS Server.
• BUG-000101456 - A Web AppBuilder for ArcGIS application hosted on a web server other than the Portal for ArcGIS machine fails to display the feature layers after 30 minutes of idle time when Portal for ArcGIS is secured with Integrated Windows Authentication (IWA).
• BUG-000099447 - Unable to upload files in the Portal home application after updating the browser to Firefox 49 or Chrome 54.
• BUG-000097640 - The BasemapGallery dijit sends an export image request instead of requesting for tiles when used with a cached image service as a basemap.
• BUG-000098559 – Un-validated redirect in Portal for ArcGIS.
• BUG-000098482 - Cross-site scripting (XSS) issue in Portal for ArcGIS.
• BUG-000098118 - Portal for ArcGIS exposes internal information.
• BUG-000098025 - Bypass of URL redirection rule in Portal for ArcGIS.
• BUG-000096889 - ArcGIS Server is unable to communicate with Portal for ArcGIS when the IP address of the Portal resolves to two different fully-qualified domain names.
• BUG-000096571 - The secure attribute is not present on a cookie in Portal for ArcGIS.
• BUG-000096570 - Reflected cross-site scripting (XSS) is possible in Portal for ArcGIS.
• BUG-000094105 - Portal generatetoken operation fails to reject POST requests which contain the username or password in the query parameter.
• BUG-000092447 - Tomcat vulnerability CVE-2014-0099 - Integer overflow attack.
• BUG-000092445 - Tomcat vulnerability, "CVE-2014-0230 - Denial-of-service attack via thread consumption".
• BUG-000091354 - Portal fails to refresh membership for users outside of the domain that the Portal server resides in.
• BUG-000091316 - Some Portal upload operations do not validate file type correctly.
• BUG-000090845 - Restrict access to the Tomcat internal shutdown port.
• BUG-000090552 - When editing the URL settings of an item in Portal for ArcGIS 10.3.1, the item URL does not save and reverts back to the original. (Nur Linux)
• BUG-000090024 - Unable to configure pop-ups for map service's feature layers with a unique layer ID in Portal for ArcGIS.
• BUG-000088826 - After upgrading from 10.3 or earlier, passwords for built-in portal accounts in Portal for ArcGIS cannot be changed by the user.
• BUG-000088682 - When Portal is configured to be SSL Only, Web AppBuilder URLs are saved as HTTP instead of HTTPs.
• BUG-000088663 - When a Web Map Tile Service (WMTS) service using WGS84 from a non-ArcGIS Server WMTS server is consumed as a basemap in Portal for ArcGIS, geocode results from the World Geocode Service appear in the wrong location.
• BUG-000088505 - Portal highly available configuration should not be reset to standalone Portal if the shared content folder is not available.
• BUG-000086481 - Incorrect geometries are displayed when reprojecting a hosted service in the map viewer.
• BUG-000085589 - Unable to display map layers added directly to a Portal Web Map when both Portal and ArcGIS Server are configured to use Integrated Windows Authentication (IWA) and both Web Adaptors are deployed on the same server.
• BUG-000085482- Failure occurs when the supportsPagination parameter is ignored when searching a feature layer for values in Portal for ArcGIS 10.3.
• BUG-000084180 - In Portal for ArcGIS when editing a user profile First Name and Last Name text fields always shows as blank under the Edit My Profile page.

Installieren dieses Patch unter Windows

Installationsschritte:

Vor der Installation dieses Patch muss Portal for ArcGIS installiert werden.

1. Laden Sie die entsprechende Datei an einen anderen Speicherort als den ArcGIS-Installationsspeicherort herunter.
   
   

2. Portal for ArcGIS 10.5.1		Prüfsumme (Md5)
   	ArcGIS-1051-PFA-SEC2018U2-Patch.msp	D7AA6160DD402B33EB7C91B4E1D71743
   Portal for ArcGIS 10.4.1		Prüfsumme (Md5)
   	ArcGIS-1041-PFA-SEC2018U2-Patch.msp	F598745C892422730B634F5A6FB30E16
   Portal for ArcGIS 10.3.1		Prüfsumme (Md5)
   	In Kürze verfügbar!

   
   
3. Stellen Sie sicher, dass Sie Schreibzugriff auf das ArcGIS-Installationsverzeichnis besitzen.
4. 
   
5. Doppelklicken Sie auf "ArcGIS--PFA-SEC2018U2-Patch.msp", um das Setup zu starten.
   
   HINWEIS: Wird durch Doppelklicken auf die MSP-Datei die Setup-Installation nicht gestartet, können Sie die Setup-Installation mit dem folgenden Befehl manuell starten:
   
   msiexec.exe /p [Speicherort des Patch]\ArcGIS--PFA-SEC2018U2-Patch.msp
   
6. 
   

Installieren dieses Patch unter Linux

Installationsschritte:

Führen Sie die folgenden Installationsschritte als Besitzer der ArcGIS-Installation aus. Der Besitzer der Installation ist der Besitzer des ArcGIS-Ordners.

Vor der Installation dieses Patch muss Portal for ArcGIS installiert werden.

1. Laden Sie die entsprechende Datei an einen anderen Speicherort als den ArcGIS-Installationsspeicherort herunter.
   
   
   

   Portal for ArcGIS 10.5.1		Prüfsumme (Md5)
   	ArcGIS-1051-PFA-SEC2018U2-Patch-linux.tar	3D384912E34002408AA8E32458A7D79F
   Portal for ArcGIS 10.4.1		Prüfsumme (Md5)
   	ArcGIS-1041-PFA-SEC2018U2-Patch-linux.tar	61BFF8BEAC7047FADE59A97AC87D4BCA
   Portal for ArcGIS 10.3.1		Prüfsumme (Md5)
   	In Kürze verfügbar!

   
   
2. Stellen Sie sicher, dass Sie Schreibzugriff für das ArcGIS-Installationsverzeichnis haben und ArcGIS durch keinen anderen Benutzer verwendet wird.
3. 
   
4. Extrahieren Sie die jeweilige TAR-Datei durch Eingabe des folgenden Befehls:
   
   % tar -xvf ArcGIS--PFA-SEC2018U2-Patch-linux.tar
5. 
   
6. Starten Sie die Installation durch die Eingabe des folgenden Befehls:
   
   % ./applypatch
   
   Es erscheint ein Dialogfeld für die menügesteuerte Installation. Die Standardauswahloptionen sind in Klammern ( ) angegeben. Die Installation kann jederzeit durch die Eingabe von "q" abgebrochen werden.
7. 
   

Deinstallieren dieses Patch unter Windows

• Um diesen Patch unter Windows zu deinstallieren, öffnen Sie die Windows-Systemsteuerung und navigieren Sie zu "Programme und Funktionen". Stellen Sie sicher, dass "Installierte Updates anzeigen" (links oben im Dialogfeld "Programme und Funktionen") aktiv ist. Wählen Sie den Patch-Namen in der Liste der Programme aus und klicken Sie auf "Deinstallieren", um den Patch zu entfernen.
  

• HINWEIS: Nach der Deinstallation des Portal for ArcGIS 10.5.1-Patch müssen Sie zusätzliche Konfigurationsänderungen vornehmen, wie in folgendem KB-Artikel beschrieben: "Portal for ArcGIS 10.5.1 becomes unresponsive after uninstalling a patch or hotfix".

Deinstallieren dieses Patch unter Linux

• Dieser Patch kann nur bei Version 10.5.1 deinstalliert werden. Um diesen Patch zu entfernen, navigieren Sie zum Verzeichnis /tmp und führen das folgende Skript als Besitzer der ArcGIS-Installation aus:
  
  
  ./patchremove
  
  
  Hinweise: Sie können nur den zuletzt installierten Patch entfernen.

• Starten Sie Ihre ArcGIS-Services neu.

Patch-Aktualisierungen

Ermittlung der installierten ArcGIS-Produkte

Anfordern von Unterstützung

Download ID:7637