Portal for ArcGIS Security 2024 Update 1 Patch

Esri announces the Portal for ArcGIS Security 2024 Update 1 Patch. This security patch includes security and non-security related fixes. Esri recommends that all customers using Portal for ArcGIS 11.2, 11.1, 10.9.1 and 10.8.1 apply this patch. This patch deals specifically with the issue listed below under Issues Addressed with this Patch.

Note: For version 11.2, Windows users will need to start the Portal for ArcGIS service after the patch install is complete. Go to the Component Services dialog to start the Portal for ArcGIS service.

• BUG-000166350 - Installing Portal for ArcGIS 11.1 Sharing Patch removes the directory and files used by 3D Object style items, resulting in advanced 3D symbols not displaying properly in Scene Viewer. (11.1 only)
• BUG-000164118 - Members are not able to share to groups through the Map Viewer app when they own or manage more than 30 groups that are configured to only allow owner and managers to contribute content. (11.1)
• BUG-000163309 - Reflected XSS in Portal for ArcGIS (11.1)
• BUG-000162806 - ArcGIS Enterprise web apps do not prompt for an enterprise login from certain ArcGIS Enterprise services. (10.9.1)
• BUG-000162733 - Portal for ArcGIS has an invalid authentication vulnerability. (11.2, 11.1 and 10.9.1)
• BUG-000162623 - Portal for ArcGIS has a directory traversal vulnerability. (11.2, 11.1, 10.9.1, and 10.8.1)
• BUG-000156913 - In Portal for ArcGIS 10.9.1, opening Map Viewer on a browser in a mobile view displays a blank map for a new map. (11.1, 10.9.1)
• BUG-000158984 - Stored XSS in Portal for ArcGIS (11.1, 10.9.1, and 10.8.1)
• BUG-000158981 - Stored XSS in Portal for ArcGIS (10.9.1 only) 
• BUG-000158688 - Reflected XSS in Experience Builder (11.1, 10.9.1, and 10.8.1)
• BUG-000158210 - HTML injection in ArcGIS Web AppBuilder (11.1, 10.9.1, and 10.8.1)
• BUG-000154722 - Cross-Site Request Forgery (CSRF) in Portal for ArcGIS (10.9.1 and 10.8.1) 
• BUG-000158030 - Reflected XSS in Portal for ArcGIS (10.9.1)
• BUG-000153884 - Reflected XSS in Portal for ArcGIS Map Viewer (11.1, 10.9.1, and 10.8.1)
• BUG-000151158 - After installing the Portal for ArcGIS Security 2022 Update 1 Patch, the font within pop-ups changes and spacing is reduced between the field name and attribute. (10.8.1)
• BUG-000137190 - Labels in a vector tile layer render irrespective of the layer's visibility range. (10.9.1)

To avoid conflicts the 11.1 patch also addresses:

• BUG-000160803 - Unable to access secured services with saved credentials when using a forward proxy that requires authentication.
• BUG-000160633 - When selecting features from the map using the Query widget with a buffer, ArcGIS Experience Builder fails to include the query results from the buffered area in a linked Table widget.
• BUG-000159271 - Warnings are erroneously logged for ArcGIS Notebooks and ArcGIS Mission while trying to refresh a webhooks configuration.
• BUG-000158980 - Trying to add a service to the Map Viewer or as an item is resulting in an infinite loop of checkURL-requests when the allowedProxyHosts-parameter does not contain the domain of the service.
• BUG-000158910 - WebGISDR tool backups fail if backup of portal indicates items were missing.
• BUG-000158430 - In Web AppBuilder, the Geoprocessing widget gives an incorrect output for the selected feature if the option 'Set as input for Geoprocessing' is not selected within the Select widget.
• BUG-000158232 - In Portal for ArcGIS, sharing items with groups does not work when an organization member owns more than 29 groups with the 'isViewOnly' property set to True.
• BUG-000158161 - HTML code to embed a web map in a website does not work in Portal for ArcGIS.
• BUG-000157727 - The 'Administrative contacts' section fails to load in ArcGIS Enterprise.
• BUG-000157485 - Unable to create an offline area for a large data size in Portal for ArcGIS due to a size limit.

To avoid conflicts the 10.9.1 patch also addresses:

• BUG-000160000 - When attempting to restore a Portal for ArcGIS backup to a new machine, the importSite operation may fail with the error message, "This connection has been closed. Code: 500" returned.
• BUG-000159204 - Accessing and logging in to the ArcGIS Experience Builder web app via ArcGIS Enterprise Sites causes the ArcGIS Experience Builder web app to be always logged in even after logging out on other tabs.
• BUG-000157748 - / After installing the Portal for ArcGIS 10.9.1 Security 2023 Update 1 Patch, Map Viewer's Styles panel fails to load and other panels (Filter, Clustering) subsequently fail to load.
• BUG-000157597 - Portal for ArcGIS Security 2023 Update 1 Patch for Portal for ArcGIS 10.9.1 causes issues in the Portfolio app in ArcGIS Instant Apps.
• BUG-000157485 - Unable to create an offline area for a large data size in Portal for ArcGIS due to a size limit.
• BUG-000156964 - Join site fails if the primary is using a non-default Web Server certificate.
• BUG-000155004 - HTML injection issue in Portal for ArcGIS.
• BUG-000155001 - Unvalidated redirect in Portal for ArcGIS.
• BUG-000154662 - The user experience is inconsistent when opening ArcGIS Instant Apps without an app ID.
• BUG-000154238 - After installing Portal for ArcGIS Security 2022 Update 2, ArcGIS Business Analyst Web App becomes inaccessible.
• BUG-000154236 - ArcGIS Online has a security vulnerability (reflected XSS).
• BUG-000154028 - If a group is configured for only owners or managers to contribute content, the managers cannot share items to the group in Portal for ArcGIS 10.8.1 and 10.9.1.
• BUG-000153997 - After installing the Portal for ArcGIS 2022 Update 2 Patch, ArcGIS Instant Apps cannot be started.
• BUG-000153799 - After installing the Portal for ArcGIS 10.9.1 Security 2022 Update 2 Patch, Map Viewer's Styles panel fails to load and other panels (Filter, Clustering) subsequently fail to load.
• BUG-000152437 - Reflected XSS vulnerability in Portal for ArcGIS.
• BUG-000152422 - ArcGIS Experience Builder containing a secured service is unable to be saved when Portal for ArcGIS and a federated ArcGIS Server site are configured with matching WebContextURLs.
• BUG-000152035 - Unvalidated redirect in Portal for ArcGIS.
• BUG-000151892 - Reflected XSS vulnerability in Portal for ArcGIS.
• BUG-000149597 - Stored XSS vulnerability in Portal for ArcGIS.
• BUG-000149111 - The Portal for ArcGIS certificate keystore is not preserved when a standby machine is joining back to the site during a webgisdr restore in 10.9.1.
• BUG-000148810 - Portal for ArcGIS has a directory traversal vulnerability.
• BUG-000148416 - Portal for ArcGIS service fails to restart after the Portal for ArcGIS Log4j patch installation in an Azure High Availability (HA) environment.
• BUG-000148346 - There is a Cross Site Reference Forgery issue in the ArcGIS Enterprise portal.
• BUG-000148008 - HTML injection in Portal for ArcGIS.
• BUG-000147750 - In ArcGIS Dashboards in Portal for ArcGIS, after filtering the features in a map based on a category, the pop-up for filtering out the overlapping features is still displayed.
• BUG-000147353 - Administrators are unable to share private items owned by another member to a group that they both are members of.
• BUG-000146967 - Unable to edit polygon geometry with z-values as a feature layer in MapViewer for Portal for ArcGIS published from ArcGIS Pro.
• BUG-000146846 - In ArcGIS Enterprise, the ArcGIS Online geometry service is used, although a custom one is configured.
• BUG-000146790 - Distributed Collaboration is not working in Enterprise 10.9.1 if access to the ArcGIS Server (hosting server) Services Directory is disabled.
• BUG-000146217 - The Category Gallery application has stopped responding, and returned the following message, "Uncaught: The item containing the living atlas categories could not be determined" in the Debug Tool (F12) under 'Console'.
• BUG-000145799 - When the Enterprise portal display language is set to any non-English language, text is missing for the 'Application extension (AppBuilder)' option on the Content page within the New Item > Application dialog.
• BUG-000145792 - When creating a dashboard in Portal for ArcGIS 10.9.1, the dashboard URL adds two dots after the web adaptor's name.
• BUG-000145347 - Update log4j to address security vulnerabilities.
• BUG-000145201 - When upgrading Portal for ArcGIS to version 10.9.1, the self-signed certificates are reverted to default.
• BUG-000143573 - Server Side Request Forgery (SSRF) vulnerability in Portal for ArcGIS.
• BUG-000142922 - Members are able to access the items in the My Favorites tab shared using a group even after leaving the group.
• BUG-000141240 - ArcGIS Web AppBuilder in ArcGIS Enterprise 10.9 is blocking hosted custom 3D widgets.
• BUG-000140656 - 'Allow Portal Access' does not prompt for enterprise logins when WebContextURLs match for Portal for ArcGIS and the server site that owns the content being accessed.
• BUG-000138713 - Features published through the local time enabled referenced feature service are filtered incorrectly through UTC when used in the Filter widget in ArcGIS Web AppBuilder.
• BUG-000133406 - The relationship field value does not auto-populate after adding the first related record using the ArcGIS Web AppBuilder Edit widget.)

To avoid conflicts the 10.8.1 patch also addresses:

• BUG-000155004 - HTML injection issue in Portal for ArcGIS.
  
• BUG-000154662 - Reflected XSS vulnerability in Portal for ArcGIS.
• BUG-000154236 - ArcGIS Online has a security vulnerability (reflected XSS).
• BUG-000154028 - If a group is configured for only owners or managers to contribute content, the managers cannot share items to the group in Portal for ArcGIS 10.8.1 and 10.9.1.
• BUG-000152437 - Reflected XSS vulnerability in Portal for ArcGIS.
• BUG-000152035 - Unvalidated redirect in Portal for ArcGIS.
• BUG-000151892 - Reflected XSS vulnerability in Portal for ArcGIS.
• BUG-000151621 - Setting virtualDirsSecurityEnabled to 'true' prevents the token or authentication from passing to a new tab in a web browser logged in to a federated ArcGIS Server site when printing from ArcGIS Web AppBuilder.
• BUG-000151158 - After installing the Portal for ArcGIS Security 2022 Update 1 Patch, the font within pop-ups changes and spacing is reduced between the field name and attribute.
• BUG-000150937 - Features published through the local time enabled referenced feature service are filtered incorrectly through UTC when used in the Filter widget in ArcGIS Web AppBuilder.
• BUG-000149597 - Stored XSS vulnerability in Portal for ArcGIS.
• BUG-000149149 - Setting virtualDirsSecurityEnabled to 'true' prevents the token or authentication from passing to a new tab in a web browser logged in to a federated ArcGIS Server site.
• BUG-000148810 - Portal for ArcGIS has a directory traversal vulnerability.
• BUG-000148416 - Portal for ArcGIS service fails to restart after the Portal for ArcGIS Log4j patch installation in an Azure High Availability (HA) environment.
• BUG-000148411 - Portal for ArcGIS Log4j Patch causes the Portal for ArcGIS 10.8.1 to Portal for ArcGIS 10.9.1 upgrade on Linux to fail and returns the error message, "Message: The requested resource [/arcgis/home/] is not available."
• BUG-000148346 - There is a Cross Site Reference Forgery issue in the ArcGIS Enterprise portal.
• BUG-000148008 - HTML injection in Portal for ArcGIS.
• BUG-000147837 - After installing the Portal for ArcGIS 10.8.1 Log4j Patch, there may be changes to the web map pop-up font.
• BUG-000147016 - Portal for ArcGIS is not accessible after uninstalling the Portal for ArcGIS Log4j Patch.
• BUG-000145347 - Update log4j to address security vulnerabilities.
• BUG-000144180 - The web app cut tool found in the Edit widget updated the last_edited_date value for features not impacted by the cut tool when the editor tracking is enabled for the service.
• BUG-000143643 - Stored XSS vulnerability in ArcGIS Configurable Apps.
• BUG-000143642 - Reflected XSS vulnerability in Portal for ArcGIS.
• BUG-000143641 - There is a misconfiguration in allowedProxyHosts.
  
• BUG-000143640 - Prevent access to sharing/rest/content/features/generate to unauthorized users.
• BUG-000143638 - Prevent access to sharing/rest/content/features/analyze to unauthorized users.
• BUG-000143573 - Server Side Request Forgery (SSRF) vulnerability in Portal for ArcGIS.
• BUG-000142922 - Incomplete permission changes in specific cases.
• BUG-000141886 - Reflected XSS vulnerability in Portal for ArcGIS.
• BUG-000140748 - In ArcGIS Web AppBuilder, the Analysis widget containing the Find Nearest analysis tool returns an error that the tool is not configured.
• BUG-000140596 - The full bar chart legend is not displayed in the Map Viewer for 10.8.1 map services.
• BUG-000139417 - Uploading item to Portal for ArcGIS fails when the item size requires multipart upload and content directory is in Azure Blob storage.
• BUG-000139382 - Embedded Portal configurable apps fail to load on a browser with 'Block third-party cookies' enabled.
• BUG-000139216 - Privilege escalation vulnerability in Portal for ArcGIS.
• BUG-000139021 - In a web application created using Web AppBuilder, unable to query related table from Query Widget.
• BUG-000138825 - The Web Scene Viewer in ArcGIS Enterprise 10.8.1 does not honor the default values for the vertex count of an IntegratedMesh I3S 1.7 layer and fails to load the content.
• BUG-000138525 - Reflected XSS vulnerability in Portal for ArcGIS.
• BUG-000138486 - HTML injection vulnerability in Portal for ArcGIS.
• BUG-000137735 - The allowedProxyHosts property is not fully honored in ArcGIS Enterprise.
• BUG-000137733 - Reflected XSS vulnerability in Portal for ArcGIS.
• BUG-000137142 - When creating a new StoryMap app, an unnecessary HTTP 404 response is returned that can cause issues in some fire-walled environments.
• BUG-000136544 - Reflected XSS vulnerability in Portal for ArcGIS.
• BUG-000136493 - Stored cross-site scripting issue in Portal for ArcGIS.
• BUG-000136356 - The Filter widget in ArcGIS Web AppBuilder resets the 'Ask for Value' check box when two or more expressions are added.
• BUG-000136352 - Legend info in the Portal for ArcGIS 10.8.1 Map Viewer misses the histogram chart for a published map service with a bar chart symbol.
• BUG-000136210 - Reflected XSS vulnerability in Portal for ArcGIS.
• BUG-000136090 - Group membership not updated when two portal groups are linked to the same SAML enterprise group.
• BUG-000136041 - ArcGIS Enterprise portal members with custom roles should be able to delete their own services when the role includes administrative privileges such as 'View all members' and publisher privileges.
• BUG-000136016 - Unable to select Existing surveys using the Survey Widget in Experience Builder on Portal for ArcGIS.
• BUG-000135726 - Code injection issue in Portal for ArcGIS.
• BUG-000135044 - Block custom roles with the admin update privilege from updating the password of default.
• BUG-000134926 - Unvalidated redirect issue in the ArcGIS Enterprise portal sign in page.
• BUG-000134458 - In some environments, the standby portal does not rejoin successfully.
• BUG-000134077 - The OAuth Authorization code granted with Proof Key for Code Exchange (PKCE) fails in ArcGIS Enterprise 10.8.1
• BUG-000134014 - XSS filter encodes valid HTML tags that were supported in earlier releases.
• BUG-000133257 - There is a stored cross-site scripting (XSS) vulnerability in ArcGIS API for JavaScript.
• BUG-000133255 - Portal for ArcGIS system properties are not properly encrypted.
• BUG-000133143 - Unable to configure email settings for ArcGIS Enterprise if fromEmailAddress parameter contains a hyphen in the domain section of the address (e.g. test@esri-1.com).
• BUG-000133077 - Firefly, Government, Public Safety symbol sets owned by esri_en are not shared with Esri Symbols Group.
• BUG-000131991 - Reflected cross-site scripting (XSS) in the home application.
• BUG-000131701 - Configurable parameters are not saved in ArcGIS Online and ArcGIS Enterprise.
• BUG-000131521 - Only 10 layers downloaded using Screening widget 'Download' function in Chrome and Edge.
• BUG-000130954 - When attribute filters are applied to the Attribute Table widget in the Web AppBuilder for ArcGIS Enterprise Portal, and a large number of records are in the filtered results, the CSV export does not honor the filters.
• BUG-000130783 - Server Side Request Forgery (SSRF) vulnerability in Portal for ArcGIS.
• BUG-000129529 - When members login to the ArcGIS Enterprise portal, their last login date reported on the Members tab of the Organization page is not consistently updated.
• BUG-000128134 - Exporting a CSV file from the Query widget in Portal for ArcGIS exports coded values rather than the descriptions.

The ArcGIS product listed in the table must be installed on your system before you can install a patch. Each patch setup is specific to the ArcGIS product in the list. To determine which products are installed on your system, please see the How to identify which ArcGIS products are installed section. Esri recommends that you install the patch for each product that is on your system.

Step 1: Download the appropriate file to a location other than your ArcGIS installation location.

Step 2: Make sure you have write access to your ArcGIS installation location.

Step 3: Double-click ArcGIS-<Version>-PFA-SEC2024U1-Patch.msp to start the setup process.

NOTE: If double clicking on the msp file does not start the setup installation, you can start the setup installation manually by using the following command:

Step 4 (11.2 Only): For version 11.2, Windows users will need to start the Portal for ArcGIS service after the patch install is complete. Go to the Component Services dialog to start the Portal for ArcGIS service.

Complete the following install steps as the ArcGIS Install owner. The Install owner is the owner of the arcgis folder.

The ArcGIS product listed in the table must be installed on your system before you can install a patch. Each patch setup is specific to the ArcGIS product in the list. To determine which products are installed on your system, please see the How to identify which ArcGIS products are installed section. Esri recommends that you install the patch for each product that is on your system.

Step 1: Download the appropriate file to a location other than your ArcGIS installation location.

Step 2: Make sure have write access to your ArcGIS installation location, and that no one is using ArcGIS.

Step 3: Extract the specified tar file by typing:

Step 4: Start the installation by typing:

This will start the dialog for the menu-driven installation procedure. Default selections are noted in parentheses ( ). To quit the installation procedure, type 'q' at any time.

To uninstall this patch on Windows, open the Windows Control Panel and navigate to installed programs. Make sure that "View installed updates" (upper left side of the Programs and Features dialog) is active. Select the patch name from the programs list and click Uninstall to remove the patch.

To remove this patch on versions 10.7 and higher, navigate to the <Product Installation Directory>/.Setup/qfe directory and run the following script as the ArcGIS Install owner:

The removepatch.sh script allows you to uninstall previously installed patches or hot fixes. Use the -s status flag to get the list of installed patches or hot fixes ordered by date. Use the -q flag to remove patches or hot fixes in reverse chronological order by date they were installed. Type removepatch -h for usage help.

Restart your ArcGIS services.

To determine which ArcGIS products are installed, choose the appropriate version of the PatchFinder utility for your environment and run it from your local machine. PatchFinder will list all products, hot fixes, and patches installed on your local machine.

PatchFinder for Windows

PatchFinder for Linux/Unix