English

Portal for ArcGIS Security 2018 Update 1 Patch

Summary

This security patch addresses multiple security vulnerabilities found in Portal for ArcGIS. Esri recommends that all customers using Portal for ArcGIS 10.5.1, 10.4.1 and 10.3.1 apply this patch.

Description

Esri® announces the Portal for ArcGIS Security 2018 Update 1 Patch. Esri recommends that all customers using Portal for ArcGIS 10.5.1, 10.4.1 and 10.3.1 apply this patch. This patch deals specifically with the issues listed below under Issues Addressed with this patch. This security patch is cumulative and includes several non-security related fixes from an earlier patch that are also listed below under Issues Addressed with this Patch. It deals specifically with the issue listed below under Issues Addressed with this patch.


Issues Addressed with this patch


  • BUG-000110291 - Portal for ArcGIS should not parse entity tags.
  • BUG-000110290 - Remove invalid record entries from the Portal for ArcGIS internal database.
  • BUG-000108753 - Portal for ArcGIS configured with portal-tier authentication and automatic account creation enabled will create accounts that exceed the number of licenses available.
  • BUG-000108155 - Endless generateToken requests are triggered in map viewer when token expires for a Portal configured with Integrated Windows Authentication (IWA) and federated with ArcGIS Server.
  • BUG-000107440 - Portal for ArcGIS disallows access to portaladmin when the actual machine name is not listed in the certificate.
To avoid conflicts the 10.5.1 version also addresses:
  • BUG-000109517 - In the 10.5.1 Portal for ArcGIS Map Viewer, the Create Labels panel does not function for map services published from map document with "Allow assignment of unique numeric IDs for map service publishing" setting specified.
  • BUG-000107814 - Create Labels does not work in Portal for ArcGIS 10.5.1 for ArcGIS Server 10.5.1 Map Services.
  • BUG-000107440 - Portal for ArcGIS disallows access to portaladmin when the actual machine name is not listed in the certificate.
  • BUG-000107004 - An error message is returned when running the Extract Data Task geoprocessing service in the Web AppBuilder for ArcGIS for Portal for ArcGIS 10.5.1 in Internet Explorer.
  • BUG-000106909 - Filtering a map service does not filter the attribute table in the web map.
  • BUG-000106303 - Portal for ArcGIS does not fully honor the 'domainControllerAddress' setting in the security configuration.
  • BUG-000106874 - Attachments are not preserved in the popup in web maps when using search by layer functionality.
  • BUG-000104949 - Basemaps in the WGS84 coordinate system do not draw in the Item Details Set Extent dialog box.
To avoid conflicts the 10.4.1 version also addresses:
  • BUG-000103731 - In a highly available Portal deployment, the primary node reverts to the 'Create New Site' state, if the primary node loses connection to the content directory.
  • BUG-000104116 - When adding members to Portal for ArcGIS using enterprise logins, users with user names less than six characters are not added even though no such limit actually exists in Portal for ArcGIS.
  • BUG-000104718 - Tiles for a hosted tile layer from ArcGIS Online are not visible in the Portal for ArcGIS map viewer if the tile layer is added as an item with stored credentials.
  • BUG-000103700 - Portal login page displays in English instead of default language if "Allow anonymous access to your portal" is unchecked.
  • BUG-000102927 - When a layer is slow to display in the Map Viewer, the message indicating that the layer is unresponsive does not automatically dismiss once the layer draws.
  • BUG-000102793 - Large Active Directory group structures cause latency issues with Portal for ArcGIS.
  • BUG-000100424 - The Web AppBuilder for ArcGIS Geoprocessing widget fails to display the output table when the geoprocessing service is published with the "View result with a map service" parameter.
  • BUG-000100420 - The check box for layers in the Layer List widget does not work after refreshing or launching the application again for map service feature layers when the group layer is unchecked and the sub layers are checked.
  • BUG-000099447 - Unable to upload files in the Portal home application after updating the browser to Firefox 49 or Chrome 54.
  • BUG-000098559 – Un-validated redirect in Portal for ArcGIS.
  • BUG-000098482 - Cross-site scripting (XSS) issue in Portal for ArcGIS.
  • BUG-000098148 - Refresh membership for enterprise users and groups fails to honor nested group membership in universal groups.
  • BUG-000098118 - Portal for ArcGIS exposes internal information.
  • BUG-000098025 - Bypass of URL redirection rule in Portal for ArcGIS.
  • BUG-000097777 - Support SAML logins to Portal for ArcGIS when a reverse proxy is defined using the WebContextURL property.
  • BUG-000096571 - The secure attribute is not present on a cookie in Portal for ArcGIS.
  • BUG-000096570 - Reflected cross-site scripting (XSS) is possible in Portal for ArcGIS.
  • BUG-000096161 - Error "unable to refresh item" is returned when performing analysis using the spatial analysis tools in Portal for ArcGIS Map viewer. This error occurs when ArcGIS Web Adaptor (or any reverse proxy) is on a machine different from the Hosting ArcGIS Server.
  • BUG-000094537- Active Directory users who belong to an enterprise group with the same name as a group within a different domain are granted access to Portal for ArcGIS 10.4 even if they do not belong to the group.
  • BUG-000094523 - Cross Domain users cannot see which Enterprise groups they are a member of within Portal for ArcGIS 10.4.
  • BUG-000091316 - Some Portal upload operations do not validate file type correctly.
  • ENH-000092759 - Support enterprise usernames with a minimum length of 3 characters.
  • NIM104313 - Logging out an enterprise user in Portal for ArcGIS does not propagate the user logout to the corresponding SAML Identity Provider.
To avoid conflicts the 10.3.1 version also addresses:
  • BUG-000114325 - Multiple pages in Portal for ArcGIS 10.3.x and 10.4.x do not display correctly after updating to Chrome 67.
  • BUG-000101456 - A Web AppBuilder for ArcGIS application hosted on a web server other than the Portal for ArcGIS machine fails to display the feature layers after 30 minutes of idle time when Portal for ArcGIS is secured with Integrated Windows Authentication (IWA).
  • BUG-000099447 - Unable to upload files in the Portal home application after updating the browser to Firefox 49 or Chrome 54.
  • BUG-000098559 – Un-validated redirect in Portal for ArcGIS.
  • BUG-000098482 - Cross-site scripting (XSS) issue in Portal for ArcGIS.
  • BUG-000098118 - Portal for ArcGIS exposes internal information.
  • BUG-000098025 - Bypass of URL redirection rule in Portal for ArcGIS.
  • BUG-000096889 - ArcGIS Server is unable to communicate with Portal for ArcGIS when the IP address of the Portal resolves to two different fully-qualified domain names.
  • BUG-000097640 - The BasemapGallery dijit sends an export image request instead of requesting for tiles when used with a cached image service as a basemap.
  • BUG-000096571 - The secure attribute is not present on a cookie in Portal for ArcGIS.
  • BUG-000096570 - Reflected cross-site scripting (XSS) is possible in Portal for ArcGIS.
  • BUG-000094105 - Portal generatetoken operation fails to reject POST requests which contain the username or password in the query parameter.
  • BUG-000092447 - Tomcat vulnerability CVE-2014-0099 - Integer overflow attack.
  • BUG-000092445 - Tomcat vulnerability, "CVE-2014-0230 - Denial-of-service attack via thread consumption".
  • BUG-000091354 - Portal fails to refresh membership for users outside of the domain that the Portal server resides in.
  • BUG-000091316 - Some Portal upload operations do not validate file type correctly.
  • BUG-000090845 - Restrict access to the Tomcat internal shutdown port.
  • BUG-000090552 - When editing the URL settings of an item in Portal for ArcGIS 10.3.1, the item URL does not save and reverts back to the original. (Linux Only)
  • BUG-000090024 - Unable to configure pop-ups for map service's feature layers with a unique layer ID in Portal for ArcGIS.
  • BUG-000088826 - After upgrading from 10.3 or earlier, passwords for built-in portal accounts in Portal for ArcGIS cannot be changed by the user.
  • BUG-000088682 - When Portal is configured to be SSL Only, Web AppBuilder URLs are saved as HTTP instead of HTTPs.
  • BUG-000088663 - When a Web Map Tile Service (WMTS) service using WGS84 from a non-ArcGIS for Server WMTS server is consumed as a basemap in Portal for ArcGIS, geocode results from the World Geocode Service appear in the wrong location.
  • BUG-000088505 - Portal highly available configuration should not be reset to standalone Portal if the shared content folder is not available.
  • BUG-000086481 - Incorrect geometries are displayed when reprojecting a hosted service in the map viewer.
  • BUG-000085589 - Unable to display map layers added directly to a Portal Web Map when both Portal and ArcGIS Server are configured to use Integrated Windows Authentication (IWA) and both Web Adaptors are deployed on the same server.
  • BUG-000085482- Failure occurs when the supportsPagination parameter is ignored when searching a feature layer for values in Portal for ArcGIS 10.3.
  • BUG-000084180 - In Portal for ArcGIS when editing a user profile First Name and Last Name text fields always shows as blank under the Edit My Profile page.

Installing this patch on Windows


Installation Steps:


Portal for ArcGIS 10.5.1, 10.4.1 or 10.3.1 must be installed before installing this patch.

  1. Download the appropriate file to a location other than your ArcGIS installation location.

  2. Portal for ArcGIS 10.5.1   Checksum (Md5)
         
      ArcGIS-1051-PFA-SEC2018U1-PatchB.msp 140862ed919e24755ea3d5c581416f38
         
    Portal for ArcGIS 10.4.1   Checksum (Md5)
         
      ArcGIS-1041-PFA-SEC2018U1-Patch.msp A31A87DBED3F403A492C83DFEE4B8F33
         
    Portal for ArcGIS 10.3.1   Checksum (Md5)
         
      ArcGIS-1031-PFA-SEC2018U1-Patch.msp 0DAB42D5E508A26270003A637D274F45
         

  3. Make sure you have write access to your ArcGIS installation location.

  4. Double-click ArcGIS-<Version>-<Product>-SEC2018U1-Patch.msp to start the setup process.

    NOTE: If double clicking on the MSP file does not start the setup installation, you can start the setup installation manually by using the following command:

    msiexec.exe /p [location of Patch]\ArcGIS-<Version>-<Product>-SEC2018U1-Patch.msp


Installing this patch on Linux


Installation Steps:


Complete the following install steps as the ArcGIS Install owner. The Install owner is the owner of the arcgis folder.

Portal for ArcGIS 10.5.1, 10.4.1, or 10.3.1 must be installed before installing this patch.

  1. Download the appropriate file to a location other than your ArcGIS installation location.


    Portal for ArcGIS 10.5.1   Checksum (Md5)
         
      ArcGIS-1051-PFA-SEC2018U1-PatchB-linux.tar ad75a7f67a86a9edd007318cdd2d2d6d
         
    Portal for ArcGIS 10.4.1   Checksum (Md5)
         
      ArcGIS-1041-PFA-SEC2018U1-Patch-linux.tar 0E96FE2B2A106B2D772212EE9C1D64D7
         
    Portal for ArcGIS 10.3.1   Checksum (Md5)
         
      ArcGIS-1031-PFA-SEC2018U1-Patch-linux.tar BAD34DE1152026A68066DFF7F6C1129D
         

  2. Make sure you have write access to your ArcGIS installation location, and that no one is using ArcGIS.

  3. Extract the specified tar file by typing:

    % tar -xvf ArcGIS-<Version>-PFA-SEC2018U1-Patch-linux.tar

  4. Start the installation by typing:

    % ./applypatch

    This will start the dialog for the menu-driven installation procedure. Default selections are noted in parentheses ( ). To quit the installation procedure, type 'q' at any time.

Uninstalling this patch on Windows


    To uninstall this patch on Windows, open the Windows Control Panel and navigate to installed programs. Make sure that "View installed updates" (upper left side of the Programs and Features dialog) is active. Select the patch name from the programs list and click Uninstall to remove the patch.

Uninstalling this patch on Linux


    To remove this patch, navigate to the /tmp directory and run the following script as the ArcGIS Install owner:

    ./patchremove

    Notes: You can only remove the patch that was installed most recently.

Patch Updates

Check the Patches and Service Packs page periodically for the availability of additional patches. New information about this patch will be posted here.

February 15, 2018: Portal for ArcGIS Security 2018 Update 1 Patch for 10.4.1 and 10.3.1 are now available for download.

February 28, 2018: Portal for ArcGIS Security 2018 Update 1 Patch 10.5.1 setup has been disabled to diagnose an issue.

March 14, 2018: The Portal for ArcGIS Security 2018 Update 1 Patch 10.5.1 setups are now available and will install over the top of the previous version released.

Important Note: The original version of the 10.5.1 patch introduced an issue that could cause problems authenticating users in deployments that use portal-tier authentication with enterprise users. The updated 10.5.1 patch resolves this problem and will install over the top of the previous version of the patch. Even if you do not use enterprise users with portal-tier authentication, Esri recommends you install this latest version of the patch as a matter of correctness.

How to identify which ArcGIS products are installed

To determine which ArcGIS products are installed, choose the appropriate version of the PatchFinder utility for your environment and run it from your local machine. PatchFinder will list all products, hot fixes, and patches installed on your local machine.

Getting Help

Domestic sites, please contact Esri Technical Support at 1-888-377-4575, if you have any difficulty installing this patch. International sites, please contact your local Esri software distributor.