Defective Portal for ArcGIS Enterprise Sites Security Patch

A defect has been identified in the Portal for ArcGIS Enterprise Sites Security Patch for 10.8.1, 10.9.1, and 11.1. This patch was initially released in late June 2023 and has been disabled for download as of October 12, 2023 while this defect is investigated. ArcGIS Enterprise 10.8.1, 10.9.1, and 11.1 deployments on Windows with this patch installed are affected by this issue. 

The ArcGIS Enterprise development team has released a response to the defective patch. This response includes a Validation and Repair tool for each impacted version and new patches to replace the defective patch.

For ArcGIS Enterprise 10.8.1, 10.9.1, and 11.1, the Validation and Repair tool and new patch are now available.

We are here to help.  If you have any questions regarding this information, please reach out to Esri Technical Support or your Esri account manager. 

 

The Portal for ArcGIS Enterprise Sites Security Patch was originally released for 10.8.1, 10.9.1, and 11.1 in late June 2023. The defective patch installation only affects ArcGIS Enterprise on Windows. ArcGIS Enterprise deployments on Linux and Kubernetes are not affected.

The patch was temporarily disabled on October 12, 2023 when the defect was identified. Although the patch installs successfully and resolves the security vulnerabilities it intends to, the defective nature of the patch has serious implications as it compromises the Portal for ArcGIS patch installation framework. ArcGIS Enterprise deployments with this defective patch installed will continue to work as normal until additional actions are taken that expose the potential impacts of the patch.

For ArcGIS Enterprise 10.8.1, 10.9.1, and 11.1, the Validation and Repair tool and new patch are now available. Until the Validation and Repair tool can be run, customers who have installed Portal for ArcGIS Enterprise Sites Security Patch 10.8.1, 10.9.1, and 11.1 should be notified of the following:

• Do not attempt to uninstall any Portal for ArcGIS patch including the defective patch. By uninstalling the patch, the deployment will no longer be protected from the security vulnerabilities addressed by the patch.

These recommendations are intended to help customers mitigate any potential risk of further compromising an ArcGIS Enterprise deployment with this defective patch installed. It is important to note that there are specific nuances to the defective patch for each impacted version of ArcGIS Enterprise and some of these generalized recommendations may not be applicable for all affected software versions and conditions. For additional guidance, reach out to Esri Technical Support.

 

The ArcGIS Enterprise development team has released a response to the defective patch. The response to this defective patch includes the following for the affected versions of the software:

• Version-specific Portal for ArcGIS Validation and Repair tool.
  • First, the tool will validate a Portal for ArcGIS deployment to ensure more patches can be installed: the version-specific Validation and Repair tools will first detect if the defective patch is installed.
  • From there, the tool will then repair the ArcGIS Enterprise deployment by removing the defective patch, any subsequently applied Portal for ArcGIS patches that failed to install, and all Portal for ArcGIS patches that were installed prior to the defective patch.
  • Once the repair is complete, the ArcGIS Enterprise deployment can be validated.
  • After the Validation and Repair tool has run, all patches will need to be reapplied to the impacted ArcGIS Enterprise deployment.
• A pre-requisite check in all future Portal for ArcGIS patches that requires running the Portal for ArcGIS Validation and Repair tool.
• Corrected Portal for ArcGIS Enterprise Sites Security Patches that have resolved the defective installation.

This response will be specific to each impacted version of ArcGIS Enterprise. Below is the status of the response for each version.

Version	Validation and Repair tool	Corrected patches
11.1	Available now. Released December 12, 2023.	Available now. Released December 12, 2023.
10.9.1	Available Now. Released February 12, 2024.	Available Now. Released February 12, 2024.
10.8.1	Available Now. Released March 21, 2024.	Available Now. Released March 21, 2024.

 

If you have an ArcGIS Enterprise deployment on versions 11.1, 10.9.1, and 10.8.1 on Windows, you will need to be aware of the new Portal for ArcGIS Validation and Repair tool once available, and the pre-requisite check in all future Portal for ArcGIS patches. To err on the side of caution and ensure that a deployment is not impacted by the defective patch, all ArcGIS Enterprise deployments will need to be validated with the Portal for ArcGIS Validation and Repair tool to ensure they are ready for more patches to be applied.

 

• Identify if your ArcGIS Enterprise deployment is impacted by this defective patch: Determine if you have installed this defective patch. If you have, take the recommended precautions described in the “Detailed Description” section. If you are not sure if you have installed this patch, reach out to Esri Technical Support for assistance. 
• If you are using ArcGIS Enterprise 11.1: Download and run the available Portal for ArcGIS Validation and Repair tool. Install the corrected Portal for ArcGIS Enterprise Sites Security Patch C.
• If you are using ArcGIS Enterprise 10.9.1: Download and run the available Portal for ArcGIS Validation and Repair tool. Install the corrected Portal for ArcGIS Enterprise Sites Security Patch.
• If you are using ArcGIS Enterprise 10.8.1: Download and run the available Portal for ArcGIS Validation and Repair tool. Install the corrected Portal for ArcGIS Enterprise Sites Security Patch.
• For more information: Reach out to your Esri account manager or Esri Technical Support for additional assistance.

 

How will I notice something is wrong with this defective patch?

You won’t notice something is wrong by simply installing the patch. The patch installs without errors. The patch correctly addresses the security vulnerabilities as described in the patch description. Your ArcGIS Enterprise deployment continues to function normally after the patch is applied. Unlike most software defects which are driven by an obvious malfunction or unexpected result from the software, there is no noticeable sign that this patch is defective.

Can I just uninstall the defective patch?

No, the defective nature of this patch is not resolved by uninstalling the patch. Additionally, your deployment will no longer be protected by the security vulnerabilities addressed with the defective patch. Please do not uninstall the defective patch or any other patches from your system.

What are the problems caused by the defective patch?

The defective patch causes negative side effects to the Portal for ArcGIS installation. These possible side effects to the installation occur in two stages:

• The first stage occurs when attempting to install more Portal for ArcGIS patches after the defective patch has been installed.
• The second stage involves then attempting to upgrade or uninstall the Portal for ArcGIS software after an additional patch has been applied.

The two stages of side effects are only possible on versions 10.9.1 and 10.8.1. For version 11.1, the Portal for ArcGIS Enterprise Sites Security Patch is the only patch available for Portal for ArcGIS 11.1 so it is not possible to experience the side effects because as there are no patches to install after the defective patch. The circumstances are different for 10.9.1 and 10.8.1 where more patches are available.

The first stage is attempting to install more Portal for ArcGIS patches after the defective patch is installed. Attempts to install additional Portal for ArcGIS patches will result in a “smooth failure” where the installation completes faster than expected and no error messages are shown but afterwards you can see that the new patch is not installed. The Patch Notification Tool shows the patch as still available instead of installed, and the Windows Updates panel does not list the patch as installed. This is the point where you may first observe a problem but are unlikely to realize the failure to install any Portal for ArcGIS patch is related to the defective Portal for ArcGIS Enterprise Sites Security Patch. There may be an error message “Can’t install any Portal for ArcGIS patches.” At this point, the ArcGIS Enterprise deployment is still functioning normally, the security vulnerability is still addressed. But the Portal for ArcGIS installation has been further impacted by this attempt to install another patch after the defective patch. Your ArcGIS Enterprise deployment is now at risk for severe problems if there is an attempt to upgrade or uninstall the Portal for ArcGIS software. If in this situation, do not upgrade to a later software version, nor attempt to uninstall the Portal for ArcGIS software.  An attempt to upgrade the software to a later version would put ArcGIS Enterprise into the second stage of the side effects caused by the defective patch. Also, do not attempt to uninstall any Portal for ArcGIS patches. An ArcGIS Enterprise deployment in this first stage of the side effects can be repaired with the forthcoming Portal for ArcGIS Validation and Repair tool. If in this situation, wait for the notification from Esri that this tool has been made available.

The second stage occurs when you attempt to upgrade the Portal for ArcGIS component after there was a failed attempt to apply an additional patch. An ArcGIS Enterprise deployment in the second stage of the side effects is no longer functional. The upgrade failed such that two incomplete versions of the software remain on the machine. If your deployment reaches this point of a failed upgrade, they will not be able to recover without help from Esri. The Portal for ArcGIS Validation and Repair tool cannot repair the deployment from this failed upgrade. Instead, contact Esri Technical Support to provide help to restore the ArcGIS Enterprise deployment.

How do I check the order in which the patches were installed?

The order of the patches’ installation can be narrowed down to the date in the Windows Updates panel. If there are multiple patches installed on the same date, reach out to Esri Technical Support for assistance on getting additional detail about installation time.

Again, err on the side of caution if there is any ambiguity about the order in which patches were installed.

Can I upgrade my ArcGIS Enterprise deployment if I have installed the defective patch?

Before considering upgrading, it is critical to be certain that the defective patch is the last Portal for ArcGIS patch installed on your deployment. If you have installed a subsequent patch or hotfix after the defective patch and then try to upgrade, your system may enter an unrecoverable state.

With that in mind, you want to approach upgrading with caution. If you can be absolutely certain that the defective patch is the last patch installed on your system, you can proceed with upgrading. If there is any ambiguity about if this patch was the last patch installed, you should wait until the Validation and Repair tool is available for the version of ArcGIS Enterprise that you are using.

Overall, the safest approach is to wait until the Validation and Repair tool is available. If you have further questions about upgrading, you can reach out to Esri Technical Support.

Are ArcGIS Server, ArcGIS Data Store, or the ArcGIS Web Adaptor impacted by this patch?

No. In the case of this defective patch, the only software component of an ArcGIS Enterprise base deployment that is impacted is Portal for ArcGIS.

What is addressed with the Portal for ArcGIS Enterprise Sites Security patches?

Three security vulnerabilities are addressed by the Portal for ArcGIS Enterprise Sites Patch:

• CVE-2023-25835 – CVSS 8.4 (High severity) – Addressed in 11.1, 10.9.1, and 10.8.1 patches
• CVE-2023-25836 – CVSS 5.4 (Medium) – Addressed in 10.8.1 patch
• CVE-2023-25837 – CVSS 6.8 (Medium) – Addressed in 10.8.1 patch

The ArcGIS Trust Center offers more details about the security vulnerabilities addressed with the Portal for ArcGIS Enterprise Sites Security Patch.

I want the security patch but cannot get it since it has been temporarily disabled for download. What can I do?

Until the Validation and Repair Tool and all patches are released, there are two options with which you can mitigate the vulnerabilities that would otherwise be addressed by the patch. Keep in mind, if you have installed the defective patch, your system is protected against the addressed security vulnerabilities. This is guidance specifically for customers who have not installed the defective patch.

• Option 1: Upgrade your deployment to ArcGIS Enterprise 11.2 to completely remediate these vulnerabilities.
• Option 2: Remove members from ArcGIS Enterprise Sites Core Team groups.

In either case, ArcGIS Enterprise Sites will remain accessible.

 

• Portal for ArcGIS Validation and Repair tool
• Portal for ArcGIS Enterprise Sites Security Patch