Portal for ArcGIS Enterprise Sites Security 2025 Update 1 Patch

Esri announces the Portal for ArcGIS Enterprise Sites Security 2025 Update 1 Patch. Esri recommends that all customers using Portal for ArcGIS 11.4, 11.3, 11.1, and 10.9.1 apply this patch.  This patch deals specifically with the issues listed below under Issues Addressed with this Patch.

As a best practice, clear the browser cache and re-launch the browser after installing the patch.

This patch can be uninstalled as outlined in the Uninstalling this patch on Windows and Uninstalling this patch on Linux sections below.

Additionally, Esri recommends developing a rollback plan before installing patches. This may be taking a snapshot of machines and related file servers or using the WebGIS DR tool as a software backup. See Back up and restore best practices for more information. For those utilizing a highly available environment, refer to the help topic on how to apply patches in a highly available environment for guidance.

• BUG-000177336 - ArcGIS Enterprise Sites has a stored Cross-site Scripting vulnerability. (11.4, 11.3, 11.1)
• BUG-000177335 - ArcGIS Enterprise Sites has a stored Cross-site Scripting vulnerability. (11.4, 11.3)
• BUG-000177333 - ArcGIS Enterprise Sites has a stored Cross-site Scripting vulnerability. (11.1, 10.9.1)
• BUG-000173918 - ArcGIS Enterprise Sites has a security vulnerability. (11.4, 11.3, 11.1)
• BUG-000173171 - ArcGIS Enterprise Sites has a Cross-site Scripting vulnerability. (11.4, 11.3
• BUG-000172758 - In the ArcGIS Enterprise Sites gallery cards, the buttons are not immediately updated when a new button background color is specified in the Theme settings. (11.4, 11.3)

To avoid conflicts the 11.3 version also addresses:

• BUG-000168418 - The error message "Essential Apps Required" is returned when loading ArcGIS Enterprise Sites directly for the first time when using web-tier authentication such Integrated Windows Authentication (IWA) or public key infrastructure (PKI).
• BUG-000165233 - The View Data Source option for ArcGIS Hub ends on a loop when the data is referenced from Portal for ArcGIS.
• BUG-000163121 - The ArcGIS Enterprise Sites Gallery layout does not display items correctly.

To avoid conflicts the 11.1 version also addresses:

• BUG-000153659 - stored Cross Site Scripting (XSS) vulnerability in ArcGIS Enterprise Sites.

To avoid conflicts the 10.9.1 version also addresses:

• BUG-000160895 - After installing the Portal for ArcGIS 10.9.1 Enterprise Sites Security Patch, no further Portal for ArcGIS patches can be installed and the Portal for ArcGIS software cannot be upgraded to a later release. 
• BUG-000153659 - A stored Cross Site Scripting (XSS) vulnerability in ArcGIS Enterprise Sites.
• BUG-000146341 - Footer not honored when using a custom HTML and CSS in ArcGIS Enterprise Sites 10.9.1.

On Windows, the release date order of the patches does not matter when installing multiple patches. If an older patch is installed after a newer patch, the newer patch takes precedence and the fixes from the newer patch will remain. The ArcGIS Enterprise Patch Notification tool, when the option to install all available patches is activated, installs multiple patches in order of release date starting with oldest to newest.

The ArcGIS product listed in the table must be installed on your system before you can install a patch. Each patch setup is specific to the ArcGIS product in the list. To determine which products are installed on your system, please see the How to identify which ArcGIS products are installed section. Esri recommends that you install the patch for each product that is on your system.

Step 1: Download the appropriate file to a location other than your ArcGIS installation location.

Step 2: Make sure you have write access to your ArcGIS installation location.

Step 3: Double-click ArcGIS-Version-Add Setup Name to start the setup process.

NOTE: If double clicking on the msp file does not start the setup installation, you can start the setup installation manually by using the following command:

Step 4: As a best practice, clear the browser cache and re-launch the browser after installing the patch.

On Linux, the release date order of the patches matters when installing multiple patches. If an older patch is installed after a newer patch, the older patch will replace the newer patch and the fixes in the newer patch will be removed. The ArcGIS Enterprise Patch Notification tool, when the option to install all available patches is activated, installs multiple patches in order of release date starting with oldest to newest.

Complete the following install steps as the ArcGIS Install owner. The Install owner is the owner of the arcgis folder.

The ArcGIS product listed in the table must be installed on your system before you can install a patch. Each patch setup is specific to the ArcGIS product in the list. To determine which products are installed on your system, please see the How to identify which ArcGIS products are installed section. Esri recommends that you install the patch for each product that is on your system.

Step 1: Download the appropriate file to a location other than your ArcGIS installation location.

Step 2: Make sure have write access to your ArcGIS installation location, and that no one is using ArcGIS.

Step 3: Extract the specified tar file by typing:

Step 4: Start the installation by typing:

This will start the dialog for the menu-driven installation procedure. Default selections are noted in parentheses ( ). To quit the installation procedure, type 'q' at any time.

Step 5: As a best practice, clear the browser cache and re-launch the browser after installing the patch.

To uninstall this patch on Windows, open the Windows Control Panel and navigate to installed programs. Make sure that "View installed updates" (upper left side of the Programs and Features dialog) is active. Select the patch name from the programs list and click Uninstall to remove the patch.

Navigate to the <Product Installation Directory>/.Setup/qfe directory and run the following script as the ArcGIS Install owner:

The removepatch.sh script allows you to uninstall previously installed patches or hot fixes. Use the -s status flag to get the list of installed patches or hot fixes ordered by date. Use the -q flag to remove patches or hot fixes in reverse chronological order by date they were installed. Type removepatch -h for usage help.

Restart your ArcGIS services.

To determine which ArcGIS products are installed, choose the appropriate version of the PatchFinder utility for your environment and run it from your local machine. PatchFinder will list all products, hot fixes, and patches installed on your local machine.

PatchFinder for Windows

PatchFinder for Linux/Unix