Skip to main content

Patches and updates

Portal for ArcGIS Log4j Patch

Published: February 3, 2022

Summary

This security patch addresses multiple security vulnerabilities found in log4j distributed with Portal for ArcGIS. Esri recommends that all customers using Portal for ArcGIS 10.6 apply this patch.

Description

EsriĀ® announces the Portal for ArcGIS Log4j Patch. Esri recommends that all customers using Portal for ArcGIS 10.6 apply this patch. This patch deals specifically with the issue listed below under Issues Addressed with this patch.

Issues Addressed with this patch


To avoid conflicts on 10.6 this patch also addresses:
  • BUG-000139216 - Privilege escalation vulnerability in Portal for ArcGIS.
  • BUG-000138525 - Reflected XSS vulnerability in Portal for ArcGIS.
  • BUG-000136493 - Stored cross-site scripting issue in Portal for ArcGIS.
  • BUG-000130954 - When attribute filters are applied to the Attribute Table widget in the Web AppBuilder for ArcGIS Enterprise Portal, and a large number of records are in the filtered results, the CSV export does not honor the filters.
  • BUG-000130067 - An infinite number of requests are generated when viewing the attribute of a service with around one million features in ArcGIS Web AppBuilder.
  • BUG-000128058 - Portal for ArcGIS has a Server Side Request Forgery (SSRF) security vulnerability.
  • BUG-000123523 - The Attribute Table widget in ArcGIS Online does not display the ongoing process of loading features when the 'Filter by map extent' option is deselected.
  • BUG-000121222 - The Attribute widget in Web AppBuilder for ArcGIS does not return consistent records when exporting attribute to CSV for a feature layer with large records (millions) in Portal for ArcGIS.
  • BUG-000121145 - Portal proxy does not fully validate allowedProxyHosts parameter.
  • BUG-000117564 - Privilege escalation vulnerability.
  • BUG-000114738 - Internet Explorer 11 does not properly encode spaces in certain Portal request URLs, which causes the request to fail in Portal Linux 10.6
  • BUG-000109526 - The 'Filter' widget in WebApp Builder for ArcGIS does not honor the layer's date format setting.
  • ENH-000116621 - Add the ability to modify the maximum token expiration time of tokens generated to login to Portal for ArcGIS when using IDP-initiated logins.

Installing this patch on Windows

Installation Steps:

This patch should be installed on all Portal for ArcGIS installations related to the Portal for ArcGIS site.

The ArcGIS product listed in the table must be installed on your system before you can install a patch. Each patch setup is specific to the ArcGIS product in the list. To determine which products are installed on your system, please see the How to identify which ArcGIS products are installed section. Esri recommends that you install the patch for each product that is on your system.

  1. Download the appropriate file to a location other than your ArcGIS installation location.

    ArcGIS Enterprise 10.6  
       
        Portal for ArcGIS ArcGIS-106-PFA-Log4j-Patch.msp
         Checksum
         (SHA256)
    9CD6266E1024F8C322E11BC1BF344912AD0EF52029F85E64E57766289220827E
       

  2. Make sure you have write access to your ArcGIS installation location.
  3. Double-click ArcGIS-106-PFA-Log4j-Patch.msp to start the setup process.

    NOTE: If double clicking on the MSP file does not start the setup installation, you can start the setup installation manually by using the following command:

    msiexec.exe /p [location of Patch]\ArcGIS-106-PFA-Log4j-Patch.msp

 

Installing this patch on Linux

Installation Steps:

Complete the following install steps as the ArcGIS Install owner. The Install owner is the owner of the arcgis folder.

The ArcGIS product listed in the table must be installed on your system before you can install a patch. Each patch setup is specific to the ArcGIS product in the list. To determine which products are installed on your system, please see the How to identify which ArcGIS products are installed section. Esri recommends that you install the patch for each product that is on your system.

  1. Download the appropriate file to a location other than your ArcGIS installation location.


    ArcGIS Enterprise 10.6  
       
    Portal for ArcGIS ArcGIS-106-PFA-Log4j-Patch-linux.tar
         Checksum
         (SHA256)
    19FDFA78813B18D24DD6FFA2127EF463E4AF3BACF595064349C20BEDFC0154A6
       

  2. Make sure you have write access to your ArcGIS installation location, and that no one is using ArcGIS.
  3. Extract the specified tar file by typing:

    % tar -xvf ArcGIS-106-PFA-Log4j-Patch-linux.tar
     
  4. Start the installation by typing:

    % ./applypatch

    This will start the dialog for the menu-driven installation procedure. Default selections are noted in parentheses ( ). To quit the installation procedure, type 'q' at any time.

Uninstalling this patch on Windows

  • To uninstall this patch on Windows, open the Windows Control Panel and navigate to installed programs. Make sure that "View installed updates" (upper left side of the Programs and Features dialog) is active. Select the patch name from the programs list and click Uninstall to remove the patch.

Uninstalling this patch on Linux

  • To uninstall this patch on Linux for ArcGIS 10.5.1 through 10.6.1, navigate to the /tmp directory and run the following script as the ArcGIS Install owner:

    Notes: You can only remove the patch that was installed most recently.

    ./patchremove
  • Restart your ArcGIS services

Patch Updates

Check the Esri Support Downloads page periodically for the availability of additional patches. New information about this patch will be posted here.

How to identify which ArcGIS products are installed

To determine which ArcGIS products are installed, choose the appropriate version of the PatchFinder utility for your environment and run it from your local machine. PatchFinder will list all products, hot fixes, and patches installed on your local machine.

Getting Help

Domestic sites, please contact Esri Technical Support at 1-888-377-4575, if you have any difficulty installing this patch. International sites, please contact your local Esri software distributor.



Download ID:7974

Get help from ArcGIS experts

Contact technical support

Download the Esri Support App

Go to download options