English

Portal for ArcGIS Security 2016 Update 2 Patch

Summary

This security patch addresses multiple security vulnerabilities found in Portal for ArcGIS.  Esri recommends that all customers using Portal for ArcGIS 10.2.2 and 10.3.1 apply this patch.  Customers who are using 10.2 or 10.2.1 should first upgrade to 10.2.2.  Customers who are using 10.3 should first upgrade to 10.3.1.

Description

Esri® announces the Portal for ArcGIS Security 2016 Update 2 Patch. Esri recommends that all customers using Portal for ArcGIS 10.2.2 and 10.3.1 apply this patch. This patch deals specifically with the issues listed below under Issues Addressed with this patch.

This security patch is cumulative and includes several non-security related fixes from an earlier patch that are also listed below under Issues Addressed with this Patch.


Issues Addressed with this patch


  • BUG-000092447 - Tomcat vulnerability CVE-2014-0099 - Integer overflow attack.
  • BUG-000092445 - Tomcat vulnerability CVE-2014-0230 - Denial-of-service attack via thread consumption.
  • BUG-000090845 - Restrict access to the Tomcat internal shutdown port.

To avoid conflicts with existing patches, the 10.3.1 version patch also addresses these issues:
  • BUG-000094105 - Portal generateToken operation fails to reject POST requests which contain the username or password in the query parameter.

  • BUG-000091354 - Portal fails to refresh membership for users outside of the domain that the Portal server resides in.

  • BUG-000090552 - When editing the URL settings of an item in Portal for ArcGIS 10.3.1, the item URL does not save and reverts back to the original.

  • BUG-000088826 - After upgrading from 10.3 or earlier, passwords for built-in portal accounts in Portal for ArcGIS cannot be changed by the user.

  • BUG-000088682 - When Portal is configured to be SSL Only, Web AppBuilder URLs are saved as HTTP instead of HTTPs.

  • BUG-000085589 - Unable to display map layers added directly to a Portal Web Map when both Portal and ArcGIS Server are configured to use Integrated Windows Authentication (IWA) and both Web Adaptors are deployed on the same server. (Windows only)

  • BUG-000088505 - Portal highly available configuration should not be reset to standalone Portal if the shared content folder is not available.

  • BUG-000086481 - Incorrect geometries are displayed when reprojecting a hosted service in the map viewer.

  • BUG-000084180 - In Portal for ArcGIS when editing a user profile First Name and Last Name text fields always shows as blank under the Edit My Profile page.
To avoid conflicts with existing patches, the 10.2.2 version patch also addresses these issues:

  • BUG-000091521 - Portal for ArcGIS 10.2.x freezes Internet Explorer (10 and 11) when services are added to a web map using ‘Search for Layers’.
  • BUG-000083626 - When adding layers to the Portal map viewer without signing in, once a GIS server connection has been made, the drop down option to add layers can from the Portal no longer appears.
  • BUG-000083072 - Reflected cross-site scripting (XSS) vulnerability in Portal for ArcGIS.
  • BUG-000082666 - Disable SSLv3 to prevent the "POODLE" vulnerability.
  • BUG-000082294 - Reflected cross-site scripting (XSS) vulnerability in Portal for ArcGIS during redirects.
  • NIM104456 - Certain Portal operations fails to use the forward proxy server information defined in the system properties.
  • NIM104047 - Secure the portal's proxy capability.
  • NIM103102 - When adding a GIS tier secured ArcGIS for Server map service under 'My Content' in Portal for ArcGIS, the option to save credentials is available but when selected, the credentials are not saved.
  • NIM099352 - Unable to save credentials for ArcGIS for Server-based content being added to Portal from ArcGIS when the desired service is secured with Windows authentication.

Installing this patch on Windows


Installation Steps:


Portal for ArcGIS 10.3.1 or 10.2.2 must be installed before installing this patch.

  1. Download the appropriate file to a location other than your ArcGIS installation location.

  2. Portal for ArcGIS 10.3.1   Checksum (Md5)
         
         Portal for ArcGIS ArcGIS-1031-PFA-SEC2016U2-Patch.msp F2354AF19F070CCD4F9E4176F0643940
         
    Portal for ArcGIS 10.2.2   Checksum (Md5)
         
         Portal for ArcGIS ArcGIS-1022-PFA-SEC2016U2-Patch.msp C32DD75EEB739DA2E65817E41F7C01C1
         

  3. Make sure you have write access to your ArcGIS installation location.

  4. Double-click ArcGIS-<Version>-PFA-SEC2016U2-Patch.msp to start the setup process.

    NOTE: If double clicking on the MSP file does not start the setup installation, you can start the setup installation manually by using the following command:

    msiexec.exe /p [location of Patch]\ArcGIS-<Version>-PFA-SEC2016U2-Patch.msp


Installing this patch on Linux


Installation Steps:


Complete the following install steps as the ArcGIS Install owner. The Install owner is the owner of the arcgis folder.

ArcGIS for Portal 10.3.1 or 10.2.2 must be installed before installing this patch.

  1. Download the appropriate file to a location other than your ArcGIS installation location.


    ArcGIS 10.3.1   Checksum (Md5)
         
         Portal for ArcGIS ArcGIS-1031-PFA-SEC2016U2-Patch-linux.tar AE654507AE7AC4D52E1F105FE910F9E0
         
    ArcGIS 10.2.2   Checksum (Md5)
         
         Portal for ArcGIS ArcGIS-1022-PFA-SEC2016U2-Patch-linux.tar 1CCB8CC1713D5ADCBEA7C45E987746A2
         

  2. Make sure you have write access to your ArcGIS installation location, and that no one is using ArcGIS.

  3. Extract the specified tar file by typing:

    % tar -xvf ArcGIS-<Version>-PFA-SEC2016U2-Patch-lx.tar

  4. Start the installation by typing:

    % ./applypatch

    This will start the dialog for the menu-driven installation procedure. Default selections are noted in parentheses ( ). To quit the installation procedure, type 'q' at any time.

Patch Updates

Check the Patches and Service Packs page periodically for the availability of additional patches. New information about this patch will be posted here.

August 18, 2016: Portal for ArcGIS 10.2.2 setups are available for download.

How to identify which ArcGIS products are installed

To determine which ArcGIS products are installed, choose the appropriate version of the PatchFinder utility for your environment and run it from your local machine. PatchFinder will list all products, hot fixes, and patches installed on your local machine.

Getting Help

Domestic sites, please contact Esri Technical Support at 1-888-377-4575, if you have any difficulty installing this patch. International sites, please contact your local Esri software distributor.