English
Continue in the app

Portal for ArcGIS Log4j Patch

Summary

This security patch addresses multiple security vulnerabilities found in log4j distributed with Portal for ArcGIS. Esri recommends that all customers using Portal for ArcGIS 10.8.1 apply this patch.

Description

Important Note April 20, 2022: New patches have been released, please see the list directly below to understand what was addressed in these new patches. These new patches, which are shown with a “B” in the name after they are installed, will install over the top of the original patches if you have already installed the originals.

Esri® announces the Portal for ArcGIS Log4j Patch. Esri recommends that all customers using Portal for ArcGIS 10.8.1 apply this patch. This patch deals specifically with the issue listed below under Issues Addressed with this patch.


Issues Addressed with this patch


The re-release of this patch on April 20, 2022 addresses:
  • BUG-000148416 - Portal for ArcGIS service fails to restart after the Portal for ArcGIS Log4j patch installation in an Azure High Availability (HA) environment.
  • BUG-000148411 - Portal for ArcGIS Log4j Patch causes the Portal for ArcGIS 10.8.1 to Portal for ArcGIS 10.9.1 upgrade on Linux to fail and returns the error message, "Message: The requested resource [/arcgis/home/] is not available."
  • BUG-000147837 - After installing the Portal for ArcGIS 10.8.1 Log4j Patch, there are changes to the web map's pop-up font.
  • BUG-000148004 - In Portal for ArcGIS, the OGC Web Map Service (WMS) pop-up in a web map does not work after installing Portal for ArcGIS Log4j Patch.

To avoid conflicts on 10.8.1 this patch also addresses:
  • BUG-000140748 - In ArcGIS Web AppBuilder, the Analysis widget containing the Find Nearest analysis tool returns an error that the tool is not configured.
  • BUG-000140596 - The full bar chart legend is not displayed in the Map Viewer for 10.8.1 map services.
  • BUG-000139382 - Embedded Portal configurable apps fail to load on a browser with 'Block third-party cookies' enabled.
  • BUG-000139216 - Privilege escalation vulnerability in Portal for ArcGIS.
  • BUG-000139021 - In a web application created using Web AppBuilder, unable to query related table from Query Widget.
  • BUG-000138825 - The Web Scene Viewer in ArcGIS Enterprise 10.8.1 does not honor the default values for the vertex count of an IntegratedMesh I3S 1.7 layer and fails to load the content.
  • BUG-000138525 - Reflected XSS vulnerability in Portal for ArcGIS.
  • BUG-000137142 - When creating a new StoryMap app, an unnecessary HTTP 404 response is returned that can cause issues in some fire-walled environments.
  • BUG-000136493 - Stored cross-site scripting issue in Portal for ArcGIS.
  • BUG-000136356 - The Filter widget in ArcGIS Web AppBuilder resets the 'Ask for Value' check box when two or more expressions are added.
  • BUG-000136352 - Legend info in the Portal for ArcGIS 10.8.1 Map Viewer misses the histogram chart for a published map service with a bar chart symbol.
  • BUG-000136041 - ArcGIS Enterprise portal members with custom roles should be able to delete their own services when the role includes administrative privileges such as 'View all members' and publisher privileges.
  • BUG-000135044 - Block custom roles with the admin update privilege from updating the password of default.
  • BUG-000134926 - Unvalidated redirect issue in the ArcGIS Enterprise portal sign in page.
  • BUG-000134458 - In some environments, the standby portal does not rejoin successfully.
  • BUG-000134077 - The OAuth Authorization code granted with Proof Key for Code Exchange (PKCE) fails in ArcGIS Enterprise 10.8.1
  • BUG-000134014 - XSS filter encodes valid HTML tags that were supported in earlier releases.
  • BUG-000133143 - Unable to configure email settings for ArcGIS Enterprise if fromEmailAddress parameter contains a hyphen in the domain section of the address (e.g. test@esri-1.com).
  • BUG-000133077 - Firefly, Government, Public Safety symbol sets owned by esri_en are not shared with Esri Symbols Group.
  • BUG-000131991 - Reflected cross-site scripting (XSS) in the home application.
  • BUG-000131701 - Configurable parameters are not saved in ArcGIS Online and ArcGIS Enterprise.
  • BUG-000131521 - Only 10 layers downloaded using Screening widget 'Download' function in Chrome and Edge.
  • BUG-000129529 - When members login to the ArcGIS Enterprise portal, their last login date reported on the Members tab of the Organization page is not consistently updated.
  • BUG-000128134 - Exporting a CSV file from the Query widget in Portal for ArcGIS exports coded values rather than the descriptions.

Installing this patch on Windows


Installation Steps:


This patch should be installed on all Portal for ArcGIS installations related to the Portal for ArcGIS site.

The ArcGIS product listed in the table must be installed on your system before you can install a patch. Each patch setup is specific to the ArcGIS product in the list. To determine which products are installed on your system, please see the How to identify which ArcGIS products are installed section. Esri recommends that you install the patch for each product that is on your system.

  1. Download the appropriate file to a location other than your ArcGIS installation location.

  2. ArcGIS Enterprise 10.8.1  
       
        Portal for ArcGIS ArcGIS-1081-PFA-Log4j-PatchB.msp
         Checksum
         (SHA256)
    12E3F267948B8C6F0CC30DBAFF8272E5EDE94A4E8DA0259D52534ADB8D56B70E
       

  3. Make sure you have write access to your ArcGIS installation location.

  4. Double-click ArcGIS-1081-PFA-Log4j-PatchB.msp to start the setup process.

    NOTE: If double clicking on the MSP file does not start the setup installation, you can start the setup installation manually by using the following command:

    msiexec.exe /p [location of Patch]\ArcGIS-1081-PFA-Log4j-PatchB.msp


Installing this patch on Linux


Installation Steps:


Complete the following install steps as the ArcGIS Install owner. The Install owner is the owner of the arcgis folder.

The ArcGIS product listed in the table must be installed on your system before you can install a patch. Each patch setup is specific to the ArcGIS product in the list. To determine which products are installed on your system, please see the How to identify which ArcGIS products are installed section. Esri recommends that you install the patch for each product that is on your system.

  1. Download the appropriate file to a location other than your ArcGIS installation location.


    ArcGIS Enterprise 10.8.1  
       
    Portal for ArcGIS ArcGIS-1081-PFA-Log4j-PatchB-linux.tar
         Checksum
         (SHA256)
    D7196EBBDA1FC197D41EF1711D810AC8235DAFDA7F2935333182BCA6EBC1F79C
       

  2. Make sure you have write access to your ArcGIS installation location, and that no one is using ArcGIS.

  3. Extract the specified tar file by typing:


    % tar -xvf ArcGIS-1081-PFA-Log4j-PatchB-linux.tar

  4. Start the installation by typing:


    % ./applypatch

    This will start the dialog for the menu-driven installation procedure. Default selections are noted in parentheses ( ). To quit the installation procedure, type 'q' at any time.


Uninstalling this patch on Windows

    To uninstall this patch on Windows, open the Windows Control Panel and navigate to installed programs. Make sure that "View installed updates" (upper left side of the Programs and Features dialog) is active. Select the patch name from the programs list and click Uninstall to remove the patch.

Uninstalling this patch on Linux


    To remove this patch on versions 10.7 and higher, navigate to the <Product Installation Directory>/.Setup/qfe directory and run the following script as the ArcGIS Install owner:


    ./removepatch.sh

    The removepatch.sh script allows you to uninstall previously installed patches or hot fixes. Use the -s status flag to get the list of installed patches or hot fixes ordered by date. Use the -q flag to remove patches or hot fixes in reverse chronological order by date they were installed. Type removepatch -h for usage help.

    Restart your ArcGIS services

Patch Updates

Check the Esri Support Downloads page periodically for the availability of additional patches. New information about this patch will be posted here.

April 20, 2022: New patches have been released, please see the issues addressed list to understand what was addressed in these new patches. These new patches, which are shown with a “B” in the name after installed, will install over the top of the original patches if you have already installed the originals.

February 23, 2022: As of February 23, 2022, a corrected Linux setup is available for this version of the Portal for ArcGIS Log4j Patch. The corrected setup takes care of a possible use case in which some files were not updated during the patch installation. If you installed the Linux version of the Portal for ArcGIS Log4j Patch before February 23, 2022, please uninstall the patch, and download and run the corrected setup now available on this page. After the corrected patch is installed, the patch title in the Patch Notification Tool and patch logs will be shown as “Portal for ArcGIS 10.8.1 Log4j Patch – Updated”. The Windows setup was not affected.

How to identify which ArcGIS products are installed

To determine which ArcGIS products are installed, choose the appropriate version of the PatchFinder utility for your environment and run it from your local machine. PatchFinder will list all products, hot fixes, and patches installed on your local machine.

Getting Help

Domestic sites, please contact Esri Technical Support at 1-888-377-4575, if you have any difficulty installing this patch. International sites, please contact your local Esri software distributor.