English

Portal for ArcGIS Privilege Escalation Security Patch

Summary

This security patch addresses a security vulnerability found in Portal for ArcGIS. Esri recommends that all customers using Portal for ArcGIS 10.6, 10.5, 10.4, and 10.3 apply this patch.

Description

Esri® announces the Portal for ArcGIS Privilege Escalation Security Patch. Esri recommends that all customers using Portal for ArcGIS 10.6, 10.5, 10.4, and 10.3 apply this patch. This patch deals specifically with the issues listed below under Issues Addressed with this patch. This security patch is cumulative and includes several security and non-security related fixes from earlier patches that are also listed below under Issues Addressed with this patch.

Customers using 10.6.1, 10.5.1, 10.4.1, or 10.3.1 should download the Portal for ArcGIS Security Update 3 Patch which includes this fix.


Issues Addressed with this patch


  • BUG-000117564 - Privilege escalation vulnerability
To avoid conflicts the 10.6 version also addresses:
  • BUG-000114738 Internet Explorer 11 does not properly encode spaces in certain Portal request URLs, which causes the request to fail in Portal Linux 10.6
To avoid conflicts the 10.5 version also addresses:
  • BUG-000112314 - Unable to print web maps in the map viewer when the default basemap is a Web Map Tile Service (WMTS) that is not in Web Mercator Auxiliary Sphere coordinate system.
  • BUG-000111550 Cross-site scripting (XSS) issue in Portal for ArcGIS.
  • BUG-000108753 - Portal for ArcGIS configured with portal-tier authentication and automatic account creation enabled will create accounts that exceed the number of licenses available.
  • BUG-000104521 - Portal for ArcGIS performance is impacted as the number of members increases.
  • BUG-000103165 - Unable to share with users in Portal Active Directory (AD) nested group configurations across domains.
  • BUG-000102793 - Large Active Directory group structures cause latency issues with Portal for ArcGIS.
To avoid conflicts the 10.4 version also addresses:
  • BUG-000114325 - Multiple pages in Portal for ArcGIS 10.3.x and 10.4.x do not display correctly after updating to Chrome 67.
  • BUG-000099447 - Unable to upload files or create groups in the Portal home application after updating the browser to Firefox 49, Chrome 54, or Safari 10.
  • BUG-000098559 – Un-validated redirect in Portal for ArcGIS.
  • BUG-000098482 - Cross-site scripting (XSS) issue in Portal for ArcGIS.
  • BUG-000098118 - Portal for ArcGIS exposes internal information.
  • BUG-000098025 - Bypass of URL redirection rule in Portal for ArcGIS.
  • BUG-000096571 - The secure attribute is not present on a cookie in Portal for ArcGIS.
  • BUG-000096570 - Reflected cross-site scripting (XSS) is possible in Portal for ArcGIS.
  • BUG-000094214 - Unable to import ArcGIS Pro entitlements to Portal for ArcGIS 10.4.
  • BUG-000091316 - Some Portal upload operations do not validate file type correctly.
To avoid conflicts the 10.3 version also addresses:
  • BUG-000114325 - Multiple pages in Portal for ArcGIS 10.3.x and 10.4.x do not display correctly after updating to Chrome 67.
  • BUG-000099447 - Unable to upload files or create groups in the Portal home application after updating the browser to Firefox 49, Chrome 54, or Safari 10.
  • BUG-000091176 - A blank page appears rather than "You do not have permission to access this resource" error message when accessing an application built using the Web AppBuilder for ArcGIS hosted in Portal for ArcGIS when the user does not have permissions to the application.
  • BUG-000085716 - Layers that are checked off in Portal for ArcGIS web map, and then checked on after the map is loaded in Web AppBuilder for ArcGIS do not display a pop-up window.
  • BUG-000085646 - Map viewer: time enabled layer shows all features when switching to a custom WMTS basemap.
  • BUG-000085644 - Map Viewer: custom basemap with two tile layers doesn't render all layers.
  • BUG-000084417 - Portal in highly available configuration will fail to function when one of the two portal machines comes back from a failure.
  • BUG-000083536 - Map Viewer: with a WMTS basemap with multiple layers, one of the basemap layers is dropped from the viewer in certain case.
  • BUG-000083190 - When authorized with a perpetual license, the Portal for ArcGIS home application does not open.

Installing this patch on Windows


Installation Steps:


Portal for ArcGIS 10.6, 10.5, 10.4 or 10.3 must be installed before installing this patch.

  1. Download the appropriate file to a location other than your ArcGIS installation location.

  2. Portal for ArcGIS   Checksum (Md5)
         
        10.6 ArcGIS-106-PFA-PES-Patch.msp 35DF6626DDD63F05F5213CE159B00985
         
        10.5 ArcGIS-105-PFA-PES-Patch.msp 97A4BD465B183B80B5A835AD82B49D2D
         
        10.4 ArcGIS-104-PFA-PES-Patch.msp FD383F606308A22346098A9B954D1CA2
         
        10.3 ArcGIS-103-PFA-PES-Patch.msp 44B900EEEBB42B65EBFA500194560573
         

  3. Make sure you have write access to your ArcGIS installation location.

  4. Double-click ArcGIS-<Version>-PFA-PES-Patch.msp to start the setup process.

    NOTE: If double clicking on the MSP file does not start the setup installation, you can start the setup installation manually by using the following command:

    msiexec.exe /p [location of Patch]\ArcGIS-<Version>-PFA-PES-Patch.msp


Installing this patch on Linux


Installation Steps:


Complete the following install steps as the ArcGIS Install owner. The Install owner is the owner of the arcgis folder.

Portal for ArcGIS 10.6, 10.5, 10.4 or 10.3 must be installed before installing this patch.

  1. Download the appropriate file to a location other than your ArcGIS installation location.


    Portal for ArcGIS   Checksum (Md5)
         
        10.6 ArcGIS-106-PFA-PES-Patch-linux.tar D5C056D4BEED589BC8429DB0536814FA
         
        10.5 ArcGIS-105-PFA-PES-Patch-linux.tar 07457DC805301C39F52D59EC22B21C9F
         
        10.4 ArcGIS-104-PFA-PES-Patch-linux.tar A06A17B19BEC69263A0E90B914F50E70
         
        10.3 ArcGIS-103-PFA-PES-Patch-linux.tar FDB99611AA8E47768C1AA511048A4853
         

  2. Make sure you have write access to your ArcGIS installation location, and that no one is using ArcGIS.

  3. Extract the specified tar file by typing:

    % tar -xvf ArcGIS-<Version>-PFA-PES-Patch-linux.tar

  4. Start the installation by typing:

    % ./applypatch

    This will start the dialog for the menu-driven installation procedure. Default selections are noted in parentheses ( ). To quit the installation procedure, type 'q' at any time.

Uninstalling this patch on Windows


    To uninstall this patch on Windows, open the Windows Control Panel and navigate to installed programs. Make sure that "View installed updates" (upper left side of the Programs and Features dialog) is active. Select the patch name from the programs list and click Uninstall to remove the patch.

Uninstalling this patch on Linux


Uninstalling this patch is only available on version 10.6 and higher. To remove this patch, navigate to the /tmp directory and run the following script as the ArcGIS Install owner:

./patchremove

Notes: You can only remove the patch that was installed most recently.

Patch Updates

Check the Patches and Service Packs page periodically for the availability of additional patches. New information about this patch will be posted here.

How to identify which ArcGIS products are installed

To determine which ArcGIS products are installed, choose the appropriate version of the PatchFinder utility for your environment and run it from your local machine. PatchFinder will list all products, hot fixes, and patches installed on your local machine.

Getting Help

Domestic sites, please contact Esri Technical Support at 1-888-377-4575, if you have any difficulty installing this patch. International sites, please contact your local Esri software distributor.