Portal for ArcGIS Enterprise Sites Security Patch

Esri announces the Portal for ArcGIS Enterprise Sites Security Patch. This patch deals specifically with the issues listed below under Issues Addressed with this Patch.

July 6, 2023: The 11.1 version of the Portal for ArcGIS Enterprise Sites Security Patch has been updated to address BUG-000159526.  Please download and install the new setup. It is not necessary to uninstall the original patch, the new setup will install and replace the original patch.

Important note September 22, 2023: The download of the version 11.1 Portal for ArcGIS Enterprise Sites Security Patch has been temporarily disabled. Installing the Portal for ArcGIS Enterprise Sites Security Patch into version 11.1 highly available Portal for ArcGIS environments will result in failures because a user configured file is not properly restored. An uninstall of the Portal for ArcGIS Enterprise Sites Security Patch does not resolve the failures.  Esri plans to release a corrected Portal for ArcGIS 11.1 Enterprise Sites Security Patch. For those who have already installed this patch and encountered failures in a highly available environment, please refer to this Esri Technical Article for help.

• BUG-000153659 - Stored XSS vulnerability in ArcGIS Enterprise Sites.
• BUG-000159526 - The Portal for ArcGIS Enterprise Sites Security Patch 11.1 is listed as not installed in the Patch Notification tool after installing. (11.1 only)

To avoid conflicts the 10.8.1 patch also addresses:

• BUG-000137100 - In ArcGIS Enterprise Sites, when you select "Explore" for the newly added gallery Item, the Portal Item is opened instead of launching the site page.
• BUG-000136370 - In ArcGIS Enterprise Sites, charts do not function when the site localization is in Arabic.
• BUG-000135364 - XSS in 10.8.1 sites builder iframe source.
• BUG-000134505 - The item description is unable to be changed in the ArcGIS Enterprise site when the corresponding feature service sublayer already contains a description.
• BUG-000134354 - Data item's details page's title on Enterprise Sites 10.8.1 respects the item's name (if exists) instead of its title.
• BUG-000134201 - Unable to access the URL of the ArcGIS Enterprise sites on Internet Explorer 11.
• BUG-000134170 - ArcGIS Enterprise Sites 10.8.1 fails with 404 error when navigating back or forward (with the browser arrows) to the dataset page when more than one page of data was displayed.
• BUG-000133605 - With Portal for ArcGIS 10.8 Enterprise Sites Patch 1 is installed, downloading a spreadsheet using level 1 viewer and anonymously fails.
• BUG-000133376 - API Explorer's Try It Out feature in ArcGIS Enterprise 10.8.1 Sites results in error code 499: Token Required.
• BUG-000133371 - "View Metadata" and "Create Webmap" in ArcGIS Enterprise 10.8.1 Sites results in 404 - File or directory not found.
• BUG-000133088 - XSS in ArcGIS Enterprise Sites.
• BUG-000133039 - Creating a web map from datasets, in ArcGIS Enterprise Sites, fails with a 404 error.
• BUG-000125077 - Layers accessed through categories in ArcGIS Enterprise Sites do not honor the symbology changes.

The ArcGIS product listed in the table must be installed on your system before you can install a patch. Each patch setup is specific to the ArcGIS product in the list. To determine which products are installed on your system, please see the How to identify which ArcGIS products are installed section. Esri recommends that you install the patch for each product that is on your system.

Step 1: Download the appropriate file to a location other than your ArcGIS installation location.

Step 2: Make sure you have write access to your ArcGIS installation location.

Step 3: Double-click ArcGIS-<Version>-PFA-ESSEC-Patch.msp to start the setup process.

NOTE: If double clicking on the msp file does not start the setup installation, you can start the setup installation manually by using the following command:

Complete the following install steps as the ArcGIS Install owner. The Install owner is the owner of the arcgis folder.

The ArcGIS product listed in the table must be installed on your system before you can install a patch. Each patch setup is specific to the ArcGIS product in the list. To determine which products are installed on your system, please see the How to identify which ArcGIS products are installed section. Esri recommends that you install the patch for each product that is on your system.

Step 1: Download the appropriate file to a location other than your ArcGIS installation location.

Step 2: Make sure have write access to your ArcGIS installation location, and that no one is using ArcGIS.

Step 3: Extract the specified tar file by typing:

Step 4: Start the installation by typing:

This will start the dialog for the menu-driven installation procedure. Default selections are noted in parentheses ( ). To quit the installation procedure, type 'q' at any time.

To uninstall this patch on Windows, open the Windows Control Panel and navigate to installed programs. Make sure that "View installed updates" (upper left side of the Programs and Features dialog) is active. Select the patch name from the programs list and click Uninstall to remove the patch.

To remove this patch, navigate to the <Product Installation Directory>/.Setup/qfe directory and run the following script as the ArcGIS Install owner:

The removepatch.sh script allows you to uninstall previously installed patches or hot fixes. Use the -s status flag to get the list of installed patches or hot fixes ordered by date. Use the -q flag to remove patches or hot fixes in reverse chronological order by date they were installed. Type removepatch -h for usage help.

Restart your ArcGIS services.

To determine which ArcGIS products are installed, choose the appropriate version of the PatchFinder utility for your environment and run it from your local machine. PatchFinder will list all products, hot fixes, and patches installed on your local machine.

PatchFinder for Windows

PatchFinder for Linux/Unix