Patches and updates
Defective Portal for ArcGIS Enterprise Sites Security Patch
Summary
A defect has been identified in the Portal for ArcGIS Enterprise Sites Security Patch for 10.8.1, 10.9.1, and 11.1. This patch was initially released in late June 2023 and has been disabled for download as of October 12, 2023 while this defect is investigated. ArcGIS Enterprise 10.8.1, 10.9.1, and 11.1 deployments on Windows with this patch installed are affected by this issue.
The ArcGIS Enterprise development team has released a response to the defective patch. This response includes a Validation and Repair tool for each impacted version and new patches to replace the defective patch.
For ArcGIS Enterprise 10.8.1, 10.9.1, and 11.1, the Validation and Repair tool and new patch are now available.
We are here to help. If you have any questions regarding this information, please reach out to Esri Technical Support or your Esri account manager.
Detailed description
The Portal for ArcGIS Enterprise Sites Security Patch was originally released for 10.8.1, 10.9.1, and 11.1 in late June 2023. The defective patch installation only affects ArcGIS Enterprise on Windows. ArcGIS Enterprise deployments on Linux and Kubernetes are not affected.
The patch was temporarily disabled on October 12, 2023 when the defect was identified. Although the patch installs successfully and resolves the security vulnerabilities it intends to, the defective nature of the patch has serious implications as it compromises the Portal for ArcGIS patch installation framework. ArcGIS Enterprise deployments with this defective patch installed will continue to work as normal until additional actions are taken that expose the potential impacts of the patch.
For ArcGIS Enterprise 10.8.1, 10.9.1, and 11.1, the Validation and Repair tool and new patch are now available. Until the Validation and Repair tool can be run, customers who have installed Portal for ArcGIS Enterprise Sites Security Patch 10.8.1, 10.9.1, and 11.1 should be notified of the following:
- Do not attempt to uninstall any Portal for ArcGIS patch including the defective patch. By uninstalling the patch, the deployment will no longer be protected from the security vulnerabilities addressed by the patch.
These recommendations are intended to help customers mitigate any potential risk of further compromising an ArcGIS Enterprise deployment with this defective patch installed. It is important to note that there are specific nuances to the defective patch for each impacted version of ArcGIS Enterprise and some of these generalized recommendations may not be applicable for all affected software versions and conditions. For additional guidance, reach out to Esri Technical Support.
Esri's planned response
The ArcGIS Enterprise development team has released a response to the defective patch. The response to this defective patch includes the following for the affected versions of the software:
- Version-specific Portal for ArcGIS Validation and Repair tool.
- First, the tool will validate a Portal for ArcGIS deployment to ensure more patches can be installed: the version-specific Validation and Repair tools will first detect if the defective patch is installed.
- From there, the tool will then repair the ArcGIS Enterprise deployment by removing the defective patch, any subsequently applied Portal for ArcGIS patches that failed to install, and all Portal for ArcGIS patches that were installed prior to the defective patch.
- Once the repair is complete, the ArcGIS Enterprise deployment can be validated.
- After the Validation and Repair tool has run, all patches will need to be reapplied to the impacted ArcGIS Enterprise deployment.
- A pre-requisite check in all future Portal for ArcGIS patches that requires running the Portal for ArcGIS Validation and Repair tool.
- Corrected Portal for ArcGIS Enterprise Sites Security Patches that have resolved the defective installation.
This response will be specific to each impacted version of ArcGIS Enterprise. Below is the status of the response for each version.
Version | Validation and Repair tool | Corrected patches |
11.1 | Available now. Released December 12, 2023. | Available now. Released December 12, 2023. |
10.9.1 | Available Now. Released February 12, 2024. | Available Now. Released February 12, 2024. |
10.8.1 | Available Now. Released March 21, 2024. | Available Now. Released March 21, 2024. |
If you have an ArcGIS Enterprise deployment on versions 11.1, 10.9.1, and 10.8.1 on Windows, you will need to be aware of the new Portal for ArcGIS Validation and Repair tool once available, and the pre-requisite check in all future Portal for ArcGIS patches. To err on the side of caution and ensure that a deployment is not impacted by the defective patch, all ArcGIS Enterprise deployments will need to be validated with the Portal for ArcGIS Validation and Repair tool to ensure they are ready for more patches to be applied.
Next steps
- Identify if your ArcGIS Enterprise deployment is impacted by this defective patch: Determine if you have installed this defective patch. If you have, take the recommended precautions described in the “Detailed Description” section. If you are not sure if you have installed this patch, reach out to Esri Technical Support for assistance.
- If you are using ArcGIS Enterprise 11.1: Download and run the available Portal for ArcGIS Validation and Repair tool. Install the corrected Portal for ArcGIS Enterprise Sites Security Patch C.
- If you are using ArcGIS Enterprise 10.9.1: Download and run the available Portal for ArcGIS Validation and Repair tool. Install the corrected Portal for ArcGIS Enterprise Sites Security Patch.
- If you are using ArcGIS Enterprise 10.8.1: Download and run the available Portal for ArcGIS Validation and Repair tool. Install the corrected Portal for ArcGIS Enterprise Sites Security Patch.
- For more information: Reach out to your Esri account manager or Esri Technical Support for additional assistance.
FAQ
How will I notice something is wrong with this defective patch?
You won’t notice something is wrong by simply installing the patch. The patch installs without errors. The patch correctly addresses the security vulnerabilities as described in the patch description. Your ArcGIS Enterprise deployment continues to function normally after the patch is applied. Unlike most software defects which are driven by an obvious malfunction or unexpected result from the software, there is no noticeable sign that this patch is defective.
Can I just uninstall the defective patch?
No, the defective nature of this patch is not resolved by uninstalling the patch. Additionally, your deployment will no longer be protected by the security vulnerabilities addressed with the defective patch. Please do not uninstall the defective patch or any other patches from your system.
What are the problems caused by the defective patch?
The defective patch causes negative side effects to the Portal for ArcGIS installation. These possible side effects to the installation occur in two stages:
- The first stage occurs when attempting to install more Portal for ArcGIS patches after the defective patch has been installed.
- The second stage involves then attempting to upgrade or uninstall the Portal for ArcGIS software after an additional patch has been applied.
The two stages of side effects are only possible on versions 10.9.1 and 10.8.1. For version 11.1, the Portal for ArcGIS Enterprise Sites Security Patch is the only patch available for Portal for ArcGIS 11.1 so it is not possible to experience the side effects because as there are no patches to install after the defective patch. The circumstances are different for 10.9.1 and 10.8.1 where more patches are available.
The first stage is attempting to install more Portal for ArcGIS patches after the defective patch is installed. Attempts to install additional Portal for ArcGIS patches will result in a “smooth failure” where the installation completes faster than expected and no error messages are shown but afterwards you can see that the new patch is not installed. The Patch Notification Tool shows the patch as still available instead of installed, and the Windows Updates panel does not list the patch as installed. This is the point where you may first observe a problem but are unlikely to realize the failure to install any Portal for ArcGIS patch is related to the defective Portal for ArcGIS Enterprise Sites Security Patch. There may be an error message “Can’t install any Portal for ArcGIS patches.” At this point, the ArcGIS Enterprise deployment is still functioning normally, the security vulnerability is still addressed. But the Portal for ArcGIS installation has been further impacted by this attempt to install another patch after the defective patch. Your ArcGIS Enterprise deployment is now at risk for severe problems if there is an attempt to upgrade or uninstall the Portal for ArcGIS software. If in this situation, do not upgrade to a later software version, nor attempt to uninstall the Portal for ArcGIS software. An attempt to upgrade the software to a later version would put ArcGIS Enterprise into the second stage of the side effects caused by the defective patch. Also, do not attempt to uninstall any Portal for ArcGIS patches. An ArcGIS Enterprise deployment in this first stage of the side effects can be repaired with the forthcoming Portal for ArcGIS Validation and Repair tool. If in this situation, wait for the notification from Esri that this tool has been made available.
The second stage occurs when you attempt to upgrade the Portal for ArcGIS component after there was a failed attempt to apply an additional patch. An ArcGIS Enterprise deployment in the second stage of the side effects is no longer functional. The upgrade failed such that two incomplete versions of the software remain on the machine. If your deployment reaches this point of a failed upgrade, they will not be able to recover without help from Esri. The Portal for ArcGIS Validation and Repair tool cannot repair the deployment from this failed upgrade. Instead, contact Esri Technical Support to provide help to restore the ArcGIS Enterprise deployment.
How do I check the order in which the patches were installed?
The order of the patches’ installation can be narrowed down to the date in the Windows Updates panel. If there are multiple patches installed on the same date, reach out to Esri Technical Support for assistance on getting additional detail about installation time.
Again, err on the side of caution if there is any ambiguity about the order in which patches were installed.
Can I upgrade my ArcGIS Enterprise deployment if I have installed the defective patch?
Before considering upgrading, it is critical to be certain that the defective patch is the last Portal for ArcGIS patch installed on your deployment. If you have installed a subsequent patch or hotfix after the defective patch and then try to upgrade, your system may enter an unrecoverable state.
With that in mind, you want to approach upgrading with caution. If you can be absolutely certain that the defective patch is the last patch installed on your system, you can proceed with upgrading. If there is any ambiguity about if this patch was the last patch installed, you should wait until the Validation and Repair tool is available for the version of ArcGIS Enterprise that you are using.
Overall, the safest approach is to wait until the Validation and Repair tool is available. If you have further questions about upgrading, you can reach out to Esri Technical Support.
Are ArcGIS Server, ArcGIS Data Store, or the ArcGIS Web Adaptor impacted by this patch?
No. In the case of this defective patch, the only software component of an ArcGIS Enterprise base deployment that is impacted is Portal for ArcGIS.
What is addressed with the Portal for ArcGIS Enterprise Sites Security patches?
Three security vulnerabilities are addressed by the Portal for ArcGIS Enterprise Sites Patch:
- CVE-2023-25835 – CVSS 8.4 (High severity) – Addressed in 11.1, 10.9.1, and 10.8.1 patches
- CVE-2023-25836 – CVSS 5.4 (Medium) – Addressed in 10.8.1 patch
- CVE-2023-25837 – CVSS 6.8 (Medium) – Addressed in 10.8.1 patch
The ArcGIS Trust Center offers more details about the security vulnerabilities addressed with the Portal for ArcGIS Enterprise Sites Security Patch.
I want the security patch but cannot get it since it has been temporarily disabled for download. What can I do?
Until the Validation and Repair Tool and all patches are released, there are two options with which you can mitigate the vulnerabilities that would otherwise be addressed by the patch. Keep in mind, if you have installed the defective patch, your system is protected against the addressed security vulnerabilities. This is guidance specifically for customers who have not installed the defective patch.
- Option 1: Upgrade your deployment to ArcGIS Enterprise 11.2 to completely remediate these vulnerabilities.
- Option 2: Remove members from ArcGIS Enterprise Sites Core Team groups.
In either case, ArcGIS Enterprise Sites will remain accessible.
Are there any recommended approaches for limited downtime associated with using the Validation and Repair tool?
As mentioned, the “Repair” mode of the Validation and Repair tool will remove all patches from your Portal for ArcGIS environment. After the tool has run, you will need to reapply all patches to your Portal for ArcGIS environment. For versions such as 10.8.1, there are more patches to remove and reapply than later versions. This will result in longer potential downtime for your deployment. Esri recommends planning for this downtime and running the Validation and Repair tool and reapplying patches during a scheduled maintenance window.
For those already familiar with and utilizing the high availability and disaster recovery tools of Portal for ArcGIS, such as the WebGISDR tool, there are some alternative approaches to consider that would reduce downtime. The following sections offer a general outline of two approaches. Detailed instructions on implementing these approaches are not within the scope of this document.
If reducing downtime is critical to your organization, you may consider two alternative approaches in place of the Validation and Repair tool:
Join Site
The join site option takes advantage of high availability to migrate components to new machines. In this case, you will solely be moving Portal for ArcGIS to a new machine. At a high level, this would involve:
1. Provisioning a new machine
2. Moving the portal content to a share
3. Updating the content directory in the Portal Administrator API
4. Installing Portal for ArcGIS on your new machine
5. Using the join site operation in either the home application or the Portal Administrator Directory to join your new machine to your old machine
6. Unregistering your old machine
7. Installing available patches on your new machine
This workflow is outlined in the documentation for migrating a machine running Portal for ArcGIS. If your Enterprise portal is already highly available, you’ll start by unregistering your standby portal, and then continue on from step three above. For more information, see the documentation on migrating to a new machine. Note that this approach will incur small amounts of downtime during the join site and unregister machine operations.
Pros:
- This approach does not require a full new ArcGIS Enterprise deployment. Instead, this approach only requires migrating the Portal for ArcGIS component which is the only component impacted by the defective patch.
- Because this approach only requires migrating the Portal for ArcGIS component, it is less complex than the WebGIS DR tool approach outline in the next section.
Cons:
- This approach will result in slight downtime when registering or unregistering your Portal for ArcGIS machines.
- This approach will impact your production environment.
Please note: This workflow is for advanced users that are familiar with and comfortable the Join Site workflow and required infrastructure. Organizations who do not have experience with this approach or the required IT resources would need consulting assistance
WebGIS DR Tool
Another alternative to the Validation and Repair tool is using the WebGIS DR tool for migrating to new machines. The WebGIS DR tool is designed to take a backup of your existing deployment, including all data, settings, and configurations. In the event of a failure, you can restore the backup to recover data from the failure. It can also be used to restore to a mirrored environment, either to support geographic redundancy or for migration purposes. See the documentation for more information regarding the WebGIS DR tool.
The important point about using the WebGIS DR tool to migrate machines is how traffic is resolved. Because it is a disaster recovery tool, the organization and service URLs of the environment where the backup was taken have to match the URLs of where you want to restore. The following steps outline how to use the WebGIS DR tool to migrate to new machines:
1. Create a backup of your existing environment.
2. Consider how you want to resolve traffic to your production organization URL. This can be done using the etc\hosts file or temporarily resolving traffic to your environment for the duration of creating it.
3. Provision your new machine or machines.
4. Install and configure the new environment.
5. Restore the backup to your new environment.
6. Validate that business or mission critical services and applications are functional.
7. Remove the etc\hosts files and redirect traffic to your new environment.
More information about this workflow can be found in the Migrate to a new machine in ArcGIS Enterprise using the WebGIS DR tool blog.
Pros:
- This approach will isolate changes from your production environment.
- This approach will provide an opportunity to migrate to new machines if required.
Cons:
- This approach may require more resources relative to the Join site approach on the architecture of your ArcGIS Enterprise deployment.
Please note: This workflow is for advanced users that are familiar with and comfortable using the WebGISDR tool and handling the required infrastructure changes. Organizations who do not have experience with these tools or the required IT resources may need consulting assistance or choose to use an alternative approach.
These workflows require familiarity and expertise with the described tools and are not recommended for all organizations and deployments. After determining if one of these approaches may be suitable to your organization, consider the provided Pros and Cons for each approach to decide which approach will be the best fit.