Portal for ArcGIS Enterprise Sites Security Patch

Esri announces the Portal for ArcGIS Enterprise Sites Security Patch. This patch deals specifically with the issues listed below under Issues Addressed with this Patch. Before installing this patch on Windows, first run the Portal for ArcGIS Validation and Repair tool to validate that your ArcGIS Enterprise Windows deployment is ready to have Portal for ArcGIS patches applied.

March 21, 2024: A new setup for the ArcGIS Enterprise 10.8.1 Windows version of the Portal for ArcGIS Enterprise Sites Security Patch is now available. This new setup addresses an issue related to a defective patch installation on Windows, as described in BUG-000161711. Before installing this new patch, first run the Portal for ArcGIS Validation and Repair tool. The tool will validate your ArcGIS Enterprise deployment and determine if the defective patch is installed. If the defective patch is detected, you will be directed to use the tool to repair your deployment before you can install Portal for ArcGIS patches released as of December 2023.

The new setup, which replaces the defective patch, is named Portal for ArcGIS Enterprise Sites Security Patch. Note that the patch, when shown as available in the ArcGIS Enterprise Patch Notification tool, is listed as Portal for ArcGIS Enterprise Sites Security Patch (without the B suffix) with a release date of March 21, 2024; once installed, it is listed as Portal for ArcGIS Enterprise Sites Security Patch B.

More details about the defective patch installation are available from this Technical Support resource.

Patch history: Previous updates regarding this patch can be read in detail below the list of issues addressed with the patch.

• BUG-000163367 - Portal for ArcGIS 11.1 Enterprise Sites Security Patch installs successfully, but results in further unexpected issues with Portal for ArcGIS. (11.1 only)
• BUG-000161711 - After installing the Portal for ArcGIS 10.8.1 Enterprise Sites Security Patch, no further Portal for ArcGIS patches can be installed and the Portal for ArcGIS software cannot be upgraded to a later release. (10.8.1 only)
• BUG-000161332 - Installing Portal for ArcGIS 11.1 Enterprise Sites Security Patch A or B removes the directory and files used by 3D Object style items, resulting in advanced 3D symbols not displaying properly in Scene Viewer. (11.1 only)
• BUG-000160895 - After installing the Portal for ArcGIS 10.9.1 Enterprise Sites Security Patch, no further Portal for ArcGIS patches can be installed and the Portal for ArcGIS software cannot be upgraded to a later release. (10.9.1 only)
• BUG-000160830 - Installing the 11.1 version of the Portal for ArcGIS Enterprise Sites Security Patch results in failures on the standby machine in highly available environments. (11.1 only)
• BUG-000159526 - The Portal for ArcGIS Enterprise Sites Security Patch 11.1 is listed as not installed in the Patch Notification tool after installation. (11.1 only)
• BUG-000153659 - A stored Cross Site Scripting (XSS) vulnerability in ArcGIS Enterprise Sites.
  

To avoid conflicts the 10.9.1 patch also addresses:

• BUG-000146341 - Footer not honored when using a custom HTML and CSS in ArcGIS Enterprise Sites 10.9.1.

To avoid conflicts the 10.8.1 patch also addresses:

• BUG-000138025 - Downloaded contents with a 'file' type are not recognized in the recent downloads in the Portal for ArcGIS 10.8.1 site application.
• BUG-000137100 - In ArcGIS Enterprise Sites, when you select "Explore" for the newly added gallery Item, the Portal Item is opened instead of launching the site page.
• BUG-000136370 - In ArcGIS Enterprise Sites, charts do not function when the site localization is in Arabic.
• BUG-000135364 - XSS in 10.8.1 sites builder iframe source.
• BUG-000134505 - The item description is unable to be changed in the ArcGIS Enterprise site when the corresponding feature service sublayer already contains a description.
• BUG-000134354 - Data item's details page's title on Enterprise Sites 10.8.1 respects the item's name (if exists) instead of its title.
• BUG-000134201 - Unable to access the URL of the ArcGIS Enterprise sites on Internet Explorer 11.
• BUG-000134170 - ArcGIS Enterprise Sites 10.8.1 fails with 404 error when navigating back or forward (with the browser arrows) to the dataset page when more than one page of data was displayed.
• BUG-000133605 - With Portal for ArcGIS 10.8 Enterprise Sites Patch 1 is installed, downloading a spreadsheet using level 1 viewer and anonymously fails.
• BUG-000133376 - API Explorer's Try It Out feature in ArcGIS Enterprise 10.8.1 Sites results in error code 499: Token Required.
• BUG-000133371 - "View Metadata" and "Create Webmap" in ArcGIS Enterprise 10.8.1 Sites results in 404 - File or directory not found.
• BUG-000133088 - XSS in ArcGIS Enterprise Sites.
• BUG-000133039 - Creating a web map from datasets, in ArcGIS Enterprise Sites, fails with a 404 error.
• BUG-000125077 - Layers accessed through categories in ArcGIS Enterprise Sites do not honor the symbology changes.

February 12, 2024: A new setup for the ArcGIS Enterprise 10.9.1 Windows version of the Portal for ArcGIS Enterprise Sites Security Patch is now available. This new setup addresses an issue related to a defective patch installation on Windows, as described in BUG-000160895. Before installing this new patch, first run the Portal for ArcGIS Validation and Repair tool. The tool will validate your ArcGIS Enterprise deployment and determine if the defective patch is installed. If the defective patch is detected, you will be directed to use the tool to repair your deployment before you can install Portal for ArcGIS patches released as of December 2023. 

The new setup, which replaces the defective patch, is named Portal for ArcGIS Enterprise Sites Security Patch. Note that the patch, when shown as available in the ArcGIS Enterprise Patch Notification tool, is listed as Portal for ArcGIS Enterprise Sites Security Patch (without the B suffix) with a release date of February 12, 2024; once installed, it is listed as Portal for ArcGIS Enterprise Sites Security Patch B.

December 12, 2023: A new setup for the ArcGIS Enterprise 11.1 Windows version of the Portal for ArcGIS Enterprise Sites Security Patch is now available. This new setup addresses an issue related to a defective patch installation on Windows, as described in BUG-000163367. Before installing this new patch, first run the Portal for ArcGIS Validation and Repair tool. The tool will validate your ArcGIS Enterprise deployment and determine if the defective patch is installed. If the defective patch is detected, you will be directed to use the tool to repair your deployment before you can install Portal for ArcGIS patches released as of December 2023. Windows 10.9.1 and 10.8.1 versions of this patch will be released at a future date.

The new setup, which replaces the defective patch, is named Portal for ArcGIS Enterprise Sites Security Patch C. Note that the patch, when shown as available in the ArcGIS Enterprise Patch Notification tool, is listed as Portal for ArcGIS Enterprise Sites Security Patch (without the C suffix) with a release date of December 12, 2023; once installed, it is listed as Portal for ArcGIS Enterprise Sites Security Patch C. The new setup also addresses BUG-000160830 which is described in this Esri Technical Article. 

Linux is not impacted by BUG-000163367, BUG-000160895, and BUG-000161711, therefore all versions of the Linux patch are now available (11.1, 10.9.1 and 10.8.1) and do not require the Portal for ArcGIS Validation and Repair tool to be run.

More details about the defective patch installation are available from this Technical Support resource.

December 7, 2023: The download of this patch has been temporarily disabled as of October 12 while a problem with the install of the patch is investigated. The defects that motivated the temporary disablement of the patches are BUG-000163367 (version 11.1), BUG-000160895 (version 10.9.1), and BUG-000161711 (version 10.8.1) and only impact Windows. Refer to this Technical Support page for information about these bugs and Esri's planned response.

Please note that a separate defect of lesser severity, BUG-000160830, has also been identified for version 11.1. Per the details of BUG-000160830, installing the Portal for ArcGIS Enterprise Sites Security Patch into version 11.1 highly available ArcGIS Enterprise environments will result in failures because a user configured file is not properly restored. An uninstall of the Portal for ArcGIS 11.1 Enterprise Sites Security Patch does not resolve the resulting failures because the user configured file cannot be corrected by the patch uninstall. A corrected version of this patch will be provided to address BUG-000160830. In the immediate, for those who have already installed this patch and encountered failures in a highly available environment, please refer to this Esri Technical Article for steps to reconfigure the affected file.

July 6, 2023: The 11.1 version of the Portal for ArcGIS Enterprise Sites Security Patch has been updated to address BUG-000159526 where the patch was installed but not listed as installed in the ArcGIS Enterprise Patch Notification tool. The new setup is named Portal for ArcGIS Enterprise Sites Security Patch B with the B suffix indicating a second build of this patch. The B suffix will appear in the name once the patch is installed. Please download and install the new setup. It is not necessary to uninstall the original patch, the new setup will install and replace the original patch.

The ArcGIS product listed in the table must be installed on your system before you can install a patch. Each patch setup is specific to the ArcGIS product in the list. To determine which products are installed on your system, please see the How to identify which ArcGIS products are installed section. Esri recommends that you install the patch for each product that is on your system.

Before installing this patch on Windows, the ArcGIS Enterprise deployment must first be validated by running the Portal for ArcGIS Validation and Repair tool. Please download and run the Portal for ArcGIS Validation and Repair tool before attempting to install this patch. 

Step 1: Download the appropriate file to a location other than your ArcGIS installation location.

Step 2: Make sure you have write access to your ArcGIS installation location.

Step 3: Double-click ArcGIS-<Version>-PFA-ESSEC-Patch<B or C>.msp to start the setup process.

NOTE: If double clicking on the msp file does not start the setup installation, you can start the setup installation manually by using the following command:

Complete the following install steps as the ArcGIS Install owner. The Install owner is the owner of the arcgis folder.

The ArcGIS product listed in the table must be installed on your system before you can install a patch. Each patch setup is specific to the ArcGIS product in the list. To determine which products are installed on your system, please see the How to identify which ArcGIS products are installed section. Esri recommends that you install the patch for each product that is on your system.

Step 1: Download the appropriate file to a location other than your ArcGIS installation location.

Step 2: Make sure have write access to your ArcGIS installation location, and that no one is using ArcGIS.

Step 3: Extract the specified tar file by typing:

Step 4: Start the installation by typing:

This will start the dialog for the menu-driven installation procedure. Default selections are noted in parentheses ( ). To quit the installation procedure, type 'q' at any time.

To uninstall this patch on Windows, open the Windows Control Panel and navigate to installed programs. Make sure that "View installed updates" (upper left side of the Programs and Features dialog) is active. Select the patch name from the programs list and click Uninstall to remove the patch.

To remove this patch, navigate to the <Product Installation Directory>/.Setup/qfe directory and run the following script as the ArcGIS Install owner:

The removepatch.sh script allows you to uninstall previously installed patches or hot fixes. Use the -s status flag to get the list of installed patches or hot fixes ordered by date. Use the -q flag to remove patches or hot fixes in reverse chronological order by date they were installed. Type removepatch -h for usage help.

Restart your ArcGIS services.

To determine which ArcGIS products are installed, choose the appropriate version of the PatchFinder utility for your environment and run it from your local machine. PatchFinder will list all products, hot fixes, and patches installed on your local machine.

PatchFinder for Windows

PatchFinder for Linux/Unix