Skip to main content

Patches and updates

Portal for ArcGIS Log4j Patch

Published: February 3, 2022

Summary

This security patch addresses multiple security vulnerabilities found in log4j distributed with Portal for ArcGIS. Esri recommends that all customers using Portal for ArcGIS 10.7.1 apply this patch.

Description

Important Note April 20, 2022: New patches have been released, please see the list directly below to understand what was addressed in these new patches. These new patches, which are shown with a “B” in the name after they are installed, will install over the top of the original patches if you have already installed the originals.

Esri® announces the Portal for ArcGIS Log4j Patch. Esri recommends that all customers using Portal for ArcGIS 10.7.1 apply this patch. This patch deals specifically with the issue listed below under Issues Addressed with this patch.

Issues Addressed with this patch

The re-release of this patch on April 20, 2022 addresses:
  • BUG-000148416 - Portal for ArcGIS service fails to restart after the Portal for ArcGIS Log4j patch installation in an Azure High Availability (HA) environment.
To avoid conflicts on 10.7.1 this patch also addresses:
  • BUG-000139216 - Privilege escalation vulnerability in Portal for ArcGIS.
  • BUG-000139021 - In a web application created using Web AppBuilder, unable to query related table from Query Widget.
  • BUG-000138525 - Reflected XSS vulnerability in Portal for ArcGIS.
  • BUG-000136493 - Stored cross-site scripting issue in Portal for ArcGIS.
  • BUG-000134926 - Unvalidated redirect issue in the ArcGIS Enterprise portal sign in page.
  • BUG-000133255 - Portal for ArcGIS system properties are not properly encrypted.
  • BUG-000132449 - Portal proxy does not fully honor allowedProxyHosts parameter.
  • BUG-000132379 - The image display settings configured for an imagery layer in ArcGIS Enterprise are not saved.
  • BUG-000132362 - The webgisdr utility should be updated to expect the response from Portal for ArcGIS's exportSite operation when items are missing from the items directory.
  • BUG-000132361 - When the Portal for ArcGIS service is shutting down, there's a chance that internal processes can become orphaned.
  • BUG-000132359 - Unable to make proxy requests to an external url after applying the PFA Security 2020 Update 1 Patch.
  • BUG-000132357 - Reflected XSS vulnerability in Portal for ArcGIS.
  • BUG-000132356 - Reflected XSS vulnerability in Portal for ArcGIS.
  • BUG-000132353 - XXE and SSRF vulnerability in Portal for ArcGIS.
  • BUG-000132351 - Uncontrolled resource exhaustion issue in Portal for ArcGIS.
  • BUG-000132292 - When Portal for ArcGIS is highly available, if the original portal machine that was installed first is shutdown, index operations will fail.
  • BUG-000131521 - Only 10 layers downloaded using Screening widget 'Download' function in Chrome and Edge.
  • BUG-000129924 - Portal for ArcGIS 10.7.1 High Availability Licensing Patch is preventing the Edit widget from editing the related tables
  • BUG-000129821 - After installing the Portal for ArcGIS 10.7.1 High Availability Licensing Patch, the Portal Home Application, or components of it such as the App Switcher, may hang or fail to load after simultaneous requests are made for Integrated Windows Authentication (IWA) users.
  • BUG-000129710 - Portal for ArcGIS has an XML external entity (XXE) vulnerability.
  • BUG-000128938 - Analysis Derive New Locations fails to run in the Analysis widget.
  • BUG-000128634 - Unable to create a backup of the portal if an item is missing from the content directory
  • BUG-000128486 - After sharing a map from ArcGIS Pro with two layers as referenced and editable, users are unable to open the Smart Editor widget from the pop-up because the Options button is disabled.
  • BUG-000128438 - Unable to save the query widget results from Web AppBuilder for ArcGIS when Portal for ArcGIS is configured with Public Key Infrastructure (PKI) or Integrated Windows Authentication (IWA).
  • BUG-000128193 - Cross-site request forgery (CSRF) vulnerability in Portal for ArcGIS.
  • BUG-000128134 - Exporting a CSV file from the Query widget in Portal for ArcGIS exports coded values rather than the descriptions.
  • BUG-000128058 - Portal for ArcGIS has a Server Side Request Forgery (SSRF) security vulnerability.
  • BUG-000128038 - Delay in Portal for ArcGIS permitting access to secured content within a group for new Enterprise members who login using Integrated Windows Authentication (IWA).
  • BUG-000127934 - Attributes are not shown completely in pop-up window when an image service with a raster function template to symbolize the data is published to ArcGIS Server, and added to Portal Scene Viewer.
  • BUG-000127472 - Stored XSS in Web AppBuilder.
  • BUG-000126709 - When an image service with raster function template to symbolize data is published to ArcGIS Server and added to Portal Map Viewer, attributes are not shown completely in pop-up window.
  • BUG-000126332 - Token is removed from cookie when Integrated Windows Authenticated users click the Scene tab in a Portal that has disabled anonymous access.
  • BUG-000126259 - Feature server layers do not consistently appear in the drop-down list of possible layers to perform analysis in Portal for ArcGIS.
  • BUG-000126198 - Primary & Standby Portals are no longer accessible after pg_hba.conf entries get commented out.
  • BUG-000126166 - Failover in a highly available portal will result in "Failed to get current license information. This connection has been closed" errors in the logs.
  • BUG-000126009 - When using the Attribute Table widget in the Web AppBuilder for ArcGIS to select many attributes in the table, only 150 attributes are selectable.
  • BUG-000125961 - In Portal for ArcGIS 10.7.1, if a layer has related records and a copy is created, the related records do not appear in pop-ups for the copied layer.
  • BUG-000125434 - A geoprocessing service with the GPDataFile input type does not provide the option to upload a file in the Web AppBuilder for ArcGIS geoprocessing widget in Portal for ArcGIS 10.7.1.
  • BUG-000125332 - Unable to set the role of ArcGIS Server to federated server with restricted publishing in ArcGIS Enterprise deployment.
  • BUG-000125033 - Users signed in through Integrated Windows Authentication (IWA) cannot search for layers under My Organization in Map Viewer.
  • BUG-000124953 - Portal for ArcGIS application information exposure.
  • BUG-000124785 - After failover, if an incremental backup is requested but a full hasn't been run, run a full backup instead of incremental
  • BUG-000124739 - The Smart Editor option is unavailable in the Web AppBuilder for ArcGIS pop-up, if the layer is shared from ArcGIS Pro as a reference and is editable in the web map.
  • BUG-000124317 - Improper server side validation of uploaded file types.
  • BUG-000124011 - Web AppBuilder for ArcGIS in Portal for ArcGIS does not display results when clicking 'Show more results' in the Search widget.
  • BUG-000123692 - Stored XSS in Portal for ArcGIS Map Viewer.
  • BUG-000123690 - Reflected cross-site scripting (XSS) in the Portal for ArcGIS home application. CVSS 3.0 Base Score: 5.4 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
  • BUG-000123331 - The Attribute Table widget does not show related records consistently.
  • BUG-000123137 - Database transaction logs are retained on standby when running the DR tool.
  • BUG-000122662 - Include the userinfo folder during a backup .
  • BUG-000122011 - Unable to disable the My Location widget in ArcGIS Online Web AppBuilder for ArcGIS if the 'Watch for location changes' option is checked.
  • BUG-000121820 - Multiple Query widgets in the same Web AppBuilder for ArcGIS app do not work.
  • BUG-000119150 - When a field contains a Range Domain, values do not appear in the Attribute Table widget in Web App Builder
  • BUG-000117333 - The promote.dat file in the primary and standby portals causes constant creation of db snapshots in the standby arcgisportal folder.
  • BUG-000116557 - The selected features do not honor the Attribute Table widget filter in Portal for ArcGIS 10.7.1 Web AppBuilder.
  • BUG-000116405 - Portal for ArcGIS export site operation fails if the content directory path syntax utilizes forward slashes instead of back slashes.
  • BUG-000116343 - In Web AppBuilder for ArcGIS, the Group Filter widget pane is cut off when the German-Deutsch language is set in the ArcGIS Online account.
  • BUG-000116089 - The Web AppBuilder for ArcGIS Query widget filter expression is configured to only show 'Values filtered by previous expressions' lists all unique values instead of a filtered set when the previous expression is configured from the Group Filter widget.
  • ENH-000123305 - Include relationship name along with table name to better distinguish different relationships on the same table.

 

Installing this patch on Windows

Installation Steps:

This patch should be installed on all Portal for ArcGIS installations related to the Portal for ArcGIS site.

The ArcGIS product listed in the table must be installed on your system before you can install a patch. Each patch setup is specific to the ArcGIS product in the list. To determine which products are installed on your system, please see the How to identify which ArcGIS products are installed section. Esri recommends that you install the patch for each product that is on your system.

  1. Download the appropriate file to a location other than your ArcGIS installation location.

    ArcGIS Enterprise 10.7.1  
       
        Portal for ArcGIS ArcGIS-1071-PFA-Log4j-PatchB.msp
         Checksum
         (SHA256)
    4E00A7966743E15E42D666286F87951DC33D3695EFED8F765E15D39A9B4FF762
       

  2. Make sure you have write access to your ArcGIS installation location.
  3. Double-click ArcGIS-1071-PFA-Log4j-PatchB.msp to start the setup process.

    NOTE: If double clicking on the MSP file does not start the setup installation, you can start the setup installation manually by using the following command:

    msiexec.exe /p [location of Patch]\ArcGIS-1071-PFA-Log4j-PatchB.msp

 

Installing this patch on Linux

Installation Steps:

Complete the following install steps as the ArcGIS Install owner. The Install owner is the owner of the arcgis folder.

The ArcGIS product listed in the table must be installed on your system before you can install a patch. Each patch setup is specific to the ArcGIS product in the list. To determine which products are installed on your system, please see the How to identify which ArcGIS products are installed section. Esri recommends that you install the patch for each product that is on your system.

  1. Download the appropriate file to a location other than your ArcGIS installation location.


    ArcGIS Enterprise 10.7.1  
       
    Portal for ArcGIS ArcGIS-1071-PFA-Log4j-PatchB-linux.tar
         Checksum
         (SHA256)
    C14EF0230C6B7B676A9DC413CE8CD3D4FA7024A114321C3364A4EDD22DB1CBCE
       

  2. Make sure you have write access to your ArcGIS installation location, and that no one is using ArcGIS.
  3. Extract the specified tar file by typing:

    % tar -xvf ArcGIS-1071-PFA-Log4j-PatchB-linux.tar
     
  4. Start the installation by typing:

    % ./applypatch

    This will start the dialog for the menu-driven installation procedure. Default selections are noted in parentheses ( ). To quit the installation procedure, type 'q' at any time.

Uninstalling this patch on Windows

  • To uninstall this patch on Windows, open the Windows Control Panel and navigate to installed programs. Make sure that "View installed updates" (upper left side of the Programs and Features dialog) is active. Select the patch name from the programs list and click Uninstall to remove the patch.

Uninstalling this patch on Linux

  • To remove this patch on versions 10.7 and higher, navigate to the <Product Installation Directory>/.Setup/qfe directory and run the following script as the ArcGIS Install owner:

    ./removepatch.sh

    The removepatch.sh script allows you to uninstall previously installed patches or hot fixes. Use the -s status flag to get the list of installed patches or hot fixes ordered by date. Use the -q flag to remove patches or hot fixes in reverse chronological order by date they were installed. Type removepatch -h for usage help.

  • Restart your ArcGIS services

Patch Updates

Check the Esri Support Downloads page periodically for the availability of additional patches. New information about this patch will be posted here.

April 20, 2022: New patches have been released, please see the list directly below to understand what was addressed in these new patches. These new patches, which are shown with a “B” in the name after they are installed, will install over the top of the original patches if you have already installed the originals.

February 23, 2022: As of February 23, 2022, a corrected Linux setup is available for this version of the Portal for ArcGIS Log4j Patch. The corrected setup takes care of a possible use case in which some files were not updated during the patch installation. If you installed the Linux version of the Portal for ArcGIS Log4j Patch before February 23, 2022, please uninstall the patch, and download and run the corrected setup now available on this page. After the corrected patch is installed, the patch title in the Patch Notification Tool and patch logs will be shown as “Portal for ArcGIS 10.7.1 Log4j Patch – Updated”. The Windows setup was not affected.

How to identify which ArcGIS products are installed

To determine which ArcGIS products are installed, choose the appropriate version of the PatchFinder utility for your environment and run it from your local machine. PatchFinder will list all products, hot fixes, and patches installed on your local machine.

Getting Help

Domestic sites, please contact Esri Technical Support at 1-888-377-4575, if you have any difficulty installing this patch. International sites, please contact your local Esri software distributor.



Download ID:7972

Get help from ArcGIS experts

Contact technical support

Download the Esri Support App

Go to download options