English

Portal for ArcGIS 10.3.1 Security 2017 Update 3 Patch

Summary

This security patch addresses multiple security vulnerabilities found in Portal for ArcGIS.  Esri recommends that all customers using Portal for ArcGIS 10.3.1 apply this patch.

Description

Introduction

Esri® announces the Portal for ArcGIS 10.3.1 Security 2017 Update 3 Patch. Esri recommends that all customers using Portal for ArcGIS 10.3.1 apply this patch.

This security patch is cumulative and includes several non-security related fixes from earlier patches, all of which are listed below under Issues Addressed with this patch.


Issues Addressed with this patch


  • BUG-000098559 - Un-validated redirect in Portal for ArcGIS.
  • BUG-000098482 - Cross-site scripting (XSS) issue in Portal for ArcGIS.
  • BUG-000098118 - Portal for ArcGIS exposes internal information.
  • BUG-000098025 - Bypass of URL redirection rule in Portal for ArcGIS.
  • BUG-000097640 - The BasemapGallery dijit sends an export image request instead of requesting for tiles when used with a cached image service as a basemap.
  • BUG-000096571 - The secure attribute is not present on a cookie in Portal for ArcGIS.
  • BUG-000096570 - Reflected cross-site scripting (XSS) is possible in Portal for ArcGIS.
  • BUG-000091316 - Some Portal upload operations do not validate file type correctly.

To avoid conflicts the Portal for ArcGIS 10.3.1 version also includes:

  • BUG-000099447 - Unable to upload files in the Portal home application after updating the browser to Firefox 49 or Chrome 54.
  • BUG-000096889 - ArcGIS Server is unable to communicate with Portal for ArcGIS when the IP address of the Portal resolves to two different fully-qualified domain names.
  • BUG-000094105 - Portal generateToken operation fails to reject POST requests which contain the username or password in the query parameter.
  • BUG-000092447 - Tomcat vulnerability CVE-2014-0099 - Integer overflow attack.
  • BUG-000092445 - Tomcat vulnerability, "CVE-2014-0230 - Denial-of-service attack via thread consumption".
  • BUG-000091354 - Portal fails to refresh membership for users outside of the domain that the Portal server resides in.
  • BUG-000090845 - Restrict access to the Tomcat internal shutdown port.
  • BUG-000090552 - When editing the URL settings of an item in Portal for ArcGIS 10.3.1, the item URL does not save and reverts back to the original. (Linux Only)
  • BUG-000090024 - Unable to configure pop-ups for map service's feature layers with a unique layer ID in Portal for ArcGIS.
  • BUG-000088826 - After upgrading from 10.3 or earlier, passwords for built-in portal accounts in Portal for ArcGIS cannot be changed by the user.
  • BUG-000088682 - When Portal is configured to be SSL Only, Web AppBuilder URLs are saved as HTTP instead of HTTPs.
  • BUG-000088663 - When a Web Map Tile Service (WMTS) service using WGS84 from a non-ArcGIS for Server WMTS server is consumed as a basemap in Portal for ArcGIS, geocode results from the World Geocode Service appear in the wrong location.
  • BUG-000088505 - Portal highly available configuration should not be reset to standalone Portal if the shared content folder is not available.
  • BUG-000086481 - Incorrect geometries are displayed when reprojecting a hosted service in the map viewer.
  • BUG-000085589 - Unable to display map layers added directly to a Portal Web Map when both Portal and ArcGIS Server are configured to use Integrated Windows Authentication (IWA) and both Web Adaptors are deployed on the same server.
  • BUG-000085482- Failure occurs when the supportsPagination parameter is ignored when searching a feature layer for values in Portal for ArcGIS 10.3.
  • BUG-000084180 - In Portal for ArcGIS when editing a user profile First Name and Last Name text fields always shows as blank under the Edit My Profile page.

Installing this patch on Windows


Installation Steps:


Portal for ArcGIS 10.3.1 must be installed before installing this patch.

  1. Download the appropriate file to a location other than your ArcGIS installation location.

  2. Portal for ArcGIS 10.3.1   Checksum (Md5)
         
    Portal for ArcGIS ArcGIS-1031-PFA-SEC2017U3-Patch.msp 852BBE99DDECBCA5D9127AC3C7E23DD3
         

  3. Make sure you have write access to your ArcGIS installation location.

  4. Double-click ArcGIS-<Version>-PFA-SEC2017U3-Patch.msp to start the setup process.

    NOTE: If double clicking on the MSP file does not start the setup installation, you can start the setup installation manually by using the following command:

    msiexec.exe /p [location of Patch]\ArcGIS-<Version>-PFA-SEC2017U3-Patch.msp


Installing this patch on Linux


Installation Steps:


Complete the following install steps as the ArcGIS Install owner. The Install owner is the owner of the arcgis folder.

Portal for ArcGIS 10.3.1 must be installed before installing this patch.

  1. Download the appropriate file to a location other than your ArcGIS installation location.


         
    Portal for ArcGIS 10.3.1   Checksum (Md5)
         
    Portal for ArcGIS ArcGIS-1031-PFA-SEC2017U3-Patch-linux.tar AF2375CF7C0FCBF64445ECA8604EC6F5
         

  2. Make sure you have write access to your ArcGIS installation location, and that no one is using ArcGIS.

  3. Extract the specified tar file by typing:

    % tar -xvf ArcGIS-<Version>-PFA-SEC2017U3-Patch-linux.tar

  4. Start the installation by typing:

    % ./applypatch

    This will start the dialog for the menu-driven installation procedure. Default selections are noted in parentheses ( ). To quit the installation procedure, type 'q' at any time.

Patch Updates

Check the Patches and Service Packs page periodically for the availability of additional patches. New information about this patch will be posted here.

How to identify which ArcGIS products are installed

To determine which ArcGIS products are installed, choose the appropriate version of the PatchFinder utility for your environment and run it from your local machine. PatchFinder will list all products, hot fixes, and patches installed on your local machine.

Getting Help

Domestic sites, please contact Esri Technical Support at 1-888-377-4575, if you have any difficulty installing this patch. International sites, please contact your local Esri software distributor.