English

Portal for ArcGIS Security 2020 Update 2 Patch

Summary

This security patch addresses multiple security vulnerabilities found in Portal for ArcGIS. Esri recommends that all customers using Portal for ArcGIS 10.7.1 and 10.6.1 apply this patch.

Description

March 22, 2021: Esri has released revised setups for this patch to address this issue

BUG-000137920 - When installing Portal for ArcGIS Security 2020 Update 2 Patch, different names are displayed for Portal for ArcGIS content folders with non-English titles.

These revised setups will install over the previously released patch however the Patch Notification tool is not able to report that a new, revised version has been installed. If you use the Patch Notification utility, please first uninstall the original patch and then run the PatchNotification utility to install this new, revised patch.

Esri® announces the Portal for ArcGIS Security 2020 Update 2 Patch. Esri recommends that all customers using Portal for ArcGIS 10.7.1 and 10.6.1 apply this patch. This patch deals specifically with the issue listed below under Issues Addressed with this patch. Note: This security patch is cumulative and includes several security and non-security related fixes from earlier patches that are also listed below under Issues Addressed with this patch.


Issues Addressed with this patch


To avoid conflicts the 10.7.1 patch also addresses:
  • BUG-000132362 - The webgisdr utility should be updated to expect the response from Portal for ArcGIS's exportSite operation when items are missing from the items directory.
  • BUG-000132361 - When the Portal for ArcGIS service is shutting down, there's a chance that internal processes can become orphaned.
  • BUG-000132292 - When Portal for ArcGIS is highly available, if the original portal machine that was installed first is shutdown, index operations will fail.
  • BUG-000129924 - Portal for ArcGIS 10.7.1 High Availability Licensing Patch is preventing the Edit widget from editing the related tables
  • BUG-000129821 - After installing the Portal for ArcGIS 10.7.1 High Availability Licensing Patch, the Portal Home Application, or components of it such as the App Switcher, may hang or fail to load after simultaneous requests are made for Integrated Windows Authentication (IWA) users.
  • BUG-000129710 - Portal for ArcGIS has an XML external entity (XXE) vulnerability.
  • BUG-000128634 - Unable to create a backup of the portal if an item is missing from the content directory
  • BUG-000128486 - After sharing a map from ArcGIS Pro with two layers as referenced and editable, users are unable to open the Smart Editor widget from the pop-up because the Options button is disabled.
  • BUG-000128438 - Unable to save the query widget results from Web AppBuilder for ArcGIS when Portal for ArcGIS is configured with Public Key Infrastructure (PKI) or Integrated Windows Authentication (IWA).
  • BUG-000128058 - Portal for ArcGIS has a Server Side Request Forgery (SSRF) security vulnerability.
  • BUG-000128038 - Delay in Portal for ArcGIS permitting access to secured content within a group for new Enterprise members who login using Integrated Windows Authentication (IWA).
  • BUG-000127934 - Attributes are not shown completely in pop-up window when an image service with a raster function template to symbolize the data is published to ArcGIS Server, and added to Portal Scene Viewer.
  • BUG-000126709 - When an image service with raster function template to symbolize data is published to ArcGIS Server and added to Portal Map Viewer, attributes are not shown completely in pop-up window.
  • BUG-000126332 - Token is removed from cookie when Integrated Windows Authenticated users click the Scene tab in a Portal that has disabled anonymous access.
  • BUG-000126259 - Feature server layers do not consistently appear in the drop-down list of possible layers to perform analysis in Portal for ArcGIS.
  • BUG-000126198 - Primary & Standby Portals are no longer accessible after pg_hba.conf entries get commented out.
  • BUG-000126166 - Failover in a highly available portal will result in "Failed to get current license information. This connection has been closed" errors in the logs.
  • BUG-000126009 - When using the Attribute Table widget in the Web AppBuilder for ArcGIS to select many attributes in the table, only 150 attributes are selectable.
  • BUG-000125961 - In Portal for ArcGIS 10.7.1, if a layer has related records and a copy is created, the related records do not appear in pop-ups for the copied layer.
  • BUG-000125434 - A geoprocessing service with the GPDataFile input type does not provide the option to upload a file in the Web AppBuilder for ArcGIS geoprocessing widget in Portal for ArcGIS 10.7.1.
  • BUG-000125332 - Unable to set the role of ArcGIS Server to federated server with restricted publishing in ArcGIS Enterprise deployment.
  • BUG-000125033 - Users signed in through Integrated Windows Authentication (IWA) cannot search for layers under My Organization in Map Viewer.
  • BUG-000124953 - Portal for ArcGIS application information exposure.
  • BUG-000124785 - After failover, if an incremental backup is requested but a full hasn't been run, run a full backup instead of incremental
  • BUG-000124739 - The Smart Editor option is unavailable in the Web AppBuilder for ArcGIS pop-up, if the layer is shared from ArcGIS Pro as a reference and is editable in the web map.
  • BUG-000124317 - Improper server side validation of uploaded file types.
  • BUG-000124011 - Web AppBuilder for ArcGIS in Portal for ArcGIS does not display results when clicking 'Show more results' in the Search widget.
  • BUG-000123690 - Reflected cross-site scripting (XSS) in the Portal for ArcGIS home application.
  • BUG-000123331 - The Attribute Table widget does not show related records consistently.
  • BUG-000123137 - Database transaction logs are retained on standby when running the DR tool.
  • BUG-000122662 - Include the userinfo folder during a backup .
  • BUG-000119150 - When a field contains a Range Domain, values do not appear in the Attribute Table widget in Web App Builder
  • BUG-000117333 - The promote.dat file in the primary and standby portals causes constant creation of db snapshots in the standby arcgisportal folder.
  • BUG-000116557 - The selected features do not honor the Attribute Table widget filter in Portal for ArcGIS 10.7.1 Web AppBuilder.
  • BUG-000116405 - Portal for ArcGIS export site operation fails if the content directory path syntax utilizes forward slashes instead of back slashes.
  • BUG-000116343 - In Web AppBuilder for ArcGIS, the Group Filter widget pane is cut off when the German-Deutsch language is set in the ArcGIS Online account.
  • BUG-000116089 - The Web AppBuilder for ArcGIS Query widget filter expression is configured to only show 'Values filtered by previous expressions' lists all unique values instead of a filtered set when the previous expression is configured from the Group Filter widget.
  • ENH-000123305 - Include relationship name along with table name to better distinguish different relationships on the same table.
To avoid conflicts the 10.6.1 patch also addresses:
  • BUG-000132362 - The webgisdr utility should be updated to expect the response from Portal for ArcGIS's exportSite operation when items are missing from the items directory.
  • BUG-000132292 - When Portal for ArcGIS is highly available, if the original portal machine that was installed first is shutdown, index operations will fail.
  • BUG-000129710 - Portal for ArcGIS has an XML external entity (XXE) vulnerability.
  • BUG-000128634 - Unable to create a backup of the portal if an item is missing from the content directory
  • BUG-000128058 - Portal for ArcGIS has a Server Side Request Forgery (SSRF) security vulnerability.
  • BUG-000127276 - When accessing a secured service from a federated Server through Map Viewer or Web AppBuilder in Portal for ArcGIS 10.6.1 using IWA, the service token fails to regenerate automatically and causes the service to become blank when the token expires.
  • BUG-000126198 - Primary & Standby Portals are no longer accessible after pg_hba.conf entries get commented out.
  • BUG-000124953 - Portal for ArcGIS application information exposure
  • BUG-000124785 - After failover, if an incremental backup is requested but a full hasn't been run, run a full backup instead of incremental
  • BUG-000124382 - After allowing Google Chrome to save your account details, the 'Add Item' > 'From the web' option displays the error 'The service type is not valid'.
  • BUG-000123690 - Reflected cross-site scripting (XSS) in the Portal for ArcGIS home application.
  • BUG-000123331 - The Attribute Table widget does not show related records consistently.
  • BUG-000123137 - Database transaction logs are retained on standby when running the DR tool.
  • BUG-000123043 - Decrease the number of JavaScript files loaded when printing in the Portal map viewer.
  • BUG-000122662 - Include the userinfo folder during a backup.
  • BUG-000121732 - The custom basemap does not appear in the Web AppBuilder for ArcGIS Basemap widget although the group is set as the default in the Edit settings under Organization.
  • BUG-000121145 - Portal proxy does not fully validate allowedProxyHosts parameter.
  • BUG-000120392 - Smart Editor Widget Fails to Set Attribute Action Expressions in Portal for ArcGIS 10.6.1.
  • BUG-000120333 - Reflected cross-site scripting (XSS) in the Portal for ArcGIS home application.
  • BUG-000120061 - Related data points to the same feature in Web AppBuilder for ArcGIS for Portal for ArcGIS when there are multiple relationships to the same feature class.
  • BUG-000119891 - Portal for ArcGIS profiles allow HTML injection (Only in 10.6.1).
  • BUG-000117926 - Unable to synchronize collaboration workspaces when the guest participant's content directory uses a Cloud Store.
  • BUG-000117564 - Privilege escalation vulnerability
  • BUG-000117369 - Reflected cross-site scripting (XSS) in item URL
  • BUG-000117367 - Un-validated redirect in Portal for ArcGIS
  • BUG-000117333 - The promote.dat file in the primary and standby portals causes constant creation of db snapshots in the standby arcgisportal folder.
  • BUG-000116870 - Unable to share Insights Workbooks, Pages and Model items to Everyone.
  • BUG-000116734 - The Attribute Table widget selections are not consistently honored by the Edit widget.
  • BUG-000116687 - Temporal filters created from tool parameters in Portal for ArcGIS Map Viewer are incorrectly formatted and cause tool failures.
  • BUG-000116405 - Portal for ArcGIS export site operation fails if the content directory path syntax utilizes forward slashes instead of back slashes.
  • BUG-000116195 - Panning and zooming in the web maps on a touch screen device does not work in Google Chrome 68.x.
  • BUG-000115964 - The App Launcher becomes unavailable after the external content is disabled.
  • BUG-000115859 - When selecting line or polygon features for layers with pop-ups enabled, the selection symbology does not match the actual feature geometry.
  • BUG-000114004 - The Show Related Records option in the Attribute Table widget returns no records in the related table.
  • BUG-000112707 - Reflected cross-site scripting (XSS) in Portal for ArcGIS Home application.
  • BUG-000112342 - The webgisdr incremental restore fails when Geo Analytics Server is federated and registered with Portal as the Geo Analytics Server.
  • ENH-000123305 - Include relationship name along with table name to better distinguish different relationships on the same table.
  • ENH-000116621 - Add the ability to modify the maximum token expiration time of tokens generated to login to Portal for ArcGIS when using IDP-initiated logins.

Installing this patch on Windows


Installation Steps:


The ArcGIS product listed in the table must be installed on your system before you can install a patch. Each patch setup is specific to the ArcGIS product in the list. To determine which products are installed on your system, please see the How to identify which ArcGIS products are installed section. Esri recommends that you install the patch for each product that is on your system.

  1. Download the appropriate file to a location other than your ArcGIS installation location.

  2. ArcGIS 10.7.1  
       
         Portal for ArcGIS ArcGIS-1071-PFA-SEC2020U2-PatchB.msp
         Checksum
         (SHA256)
    4E33FDDA53CEFCDCE54584B5C2C7D976C3740F636DECCEA0B93EC6DC24B9BAFE
       
    ArcGIS 10.6.1  
       
         Portal for ArcGIS ArcGIS-1061-PFA-SEC2020U2-PatchB.msp
         Checksum
         (SHA256)
    BC2D971CCE4CA6B56AA5A44AF7FD8A3F5D0131A93839B404050C9081B05D9F8B
       

  3. Make sure you have write access to your ArcGIS installation location.

  4. Double-click ArcGIS-<Version>-PFA-SEC2020U2-Patch.msp to start the setup process.

    NOTE: If double clicking on the msp file does not start the setup installation, you can start the setup installation manually by using the following command:

    msiexec.exe /p [location of Patch]\ArcGIS-<Version>-PFA-SEC2020U2-Patch.msp


Installing this patch on Linux


Installation Steps:


Complete the following install steps as the ArcGIS Install owner. The Install owner is the owner of the arcgis folder.

The ArcGIS product listed in the table must be installed on your system before you can install a patch. Each patch setup is specific to the ArcGIS product in the list. To determine which products are installed on your system, please see the How to identify which ArcGIS products are installed section. Esri recommends that you install the patch for each product that is on your system.

  1. Download the appropriate file to a location other than your ArcGIS installation location.


    ArcGIS 10.7.1  
       
    Portal for ArcGIS ArcGIS-1071-PFA-SEC2020U2-PatchB-linux.tar
    Checksum
         (SHA256)
    277E70BCD1274ECE38B2B18111B8A707A508A3B3904CDACDF3E7E6235771EB73
       
    ArcGIS 10.6.1  
       
    Portal for ArcGIS ArcGIS-1061-PFA-SEC2020U2-PatchB-linux.tar
    Checksum
         (SHA256)
    38E6EAC2517C01AE54F41172A8B5FD94B2CC5A0618655F6E886678999CF156A9
       

  2. Make sure you have write access to your ArcGIS installation location, and that no one is using ArcGIS.

  3. Extract the specified tar file by typing:

    % tar -xvf ArcGIS-<Version>-PFA-SEC2020U2-Patch-linux.tar

  4. Start the installation by typing:

    % ./applypatch

    This will start the dialog for the menu-driven installation procedure. Default selections are noted in parentheses ( ). To quit the installation procedure, type 'q' at any time.


Uninstalling this patch on Windows


    To uninstall this patch on Windows, open the Windows Control Panel and navigate to installed programs. Make sure that "View installed updates" (upper left side of the Programs and Features dialog) is active. Select the patch name from the programs list and click Uninstall to remove the patch.

Uninstalling this patch on Linux


Uninstalling this patch is only available on version 10.6 and higher.

To remove this patch on 10.6.1, navigate to the /tmp directory and run the following script as the ArcGIS Install owner:


./patchremove

Notes: You can only remove the patch that was installed most recently.

Restart your ArcGIS Server services

To remove this patch on versions 10.7 and higher, navigate to the <Product Installation Directory>/.Setup/qfe directory and run the following script as the ArcGIS Install owner:



./removepatch.sh

The removepatch.sh script allows you to uninstall previously installed patches or hot fixes. Use the -s status flag to get the list of installed patches or hot fixes ordered by date. Use the -q flag to remove patches or hot fixes in reverse chronological order by date they were installed. Type removepatch -h for usage help.

Restart your ArcGIS services.


Patch Updates

Check the Esri Support Downloads page periodically for the availability of additional patches. New information about this patch will be posted here.

March 22, 2021: Esri has released revised setups for this patch to address this issue

BUG-000137920 - When installing Portal for ArcGIS Security 2020 Update 2 Patch, different names are displayed for Portal for ArcGIS content folders with non-English titles.

These revised setups will install over the previously released patch however the Patch Notification tool is not able to report that a new, revised version has been installed. If you use the Patch Notification utility, please first uninstall the original patch and then run the PatchNotification utility to install this new, revised patch.

How to identify which ArcGIS products are installed

To determine which ArcGIS products are installed, choose the appropriate version of the PatchFinder utility for your environment and run it from your local machine. PatchFinder will list all products, hot fixes, and patches installed on your local machine.

Getting Help

Domestic sites, please contact Esri Technical Support at 1-888-377-4575, if you have any difficulty installing this patch. International sites, please contact your local Esri software distributor.