English
Continue in the app

Portal for ArcGIS Log4j Patch

Summary

This security patch addresses multiple security vulnerabilities found in log4j distributed with Portal for ArcGIS. Esri recommends that all customers using Portal for ArcGIS 10.6.1 apply this patch.

Description

Important Note: As of February 23, 2022, a corrected Linux setup is available for this version of the Portal for ArcGIS Log4j Patch. The corrected setup takes care of a possible use case in which some files were not updated during the patch installation. If you installed the Linux version of the Portal for ArcGIS Log4j Patch before February 23, 2022, please uninstall the patch, and download and run the corrected setup now available on this page. After the corrected patch is installed, the patch title in the Patch Notification Tool and patch logs will be shown as “Portal for ArcGIS 10.6.1 Log4j Patch – Updated”. The Windows setup was not affected.

Esri® announces the Portal for ArcGIS Log4j Patch. Esri recommends that all customers using Portal for ArcGIS 10.6.1 apply this patch. This patch deals specifically with the issue listed below under Issues Addressed with this patch.


Issues Addressed with this patch



To avoid conflicts on 10.6.1 this patch also addresses:
  • BUG-000139216 - Privilege escalation vulnerability in Portal for ArcGIS.
  • BUG-000138525 - Reflected XSS vulnerability in Portal for ArcGIS.
  • BUG-000136840 - SSRF vulnerability in Portal for ArcGIS.
  • BUG-000136493 - Stored cross-site scripting issue in Portal for ArcGIS.
  • BUG-000133255 - Portal for ArcGIS system properties are not properly encrypted.
  • BUG-000132452 - Reflected XSS in Portal for ArcGIS Home app.
  • BUG-000132449 - Portal proxy does not fully honor allowedProxyHosts parameter.
  • BUG-000132362 - The webgisdr utility should be updated to expect the response from Portal for ArcGIS's exportSite operation when items are missing from the items directory.
  • BUG-000132359 - Unable to make proxy requests to an external url after applying the Portal for ArcGIS Security 2020 Update 1 Patch.
  • BUG-000132357 - Reflected XSS vulnerability in Portal for ArcGIS.
  • BUG-000132356 - Reflected XSS vulnerability in Portal for ArcGIS.
  • BUG-000132353 - XXE and SSRF vulnerability in Portal for ArcGIS.
  • BUG-000132351 - Uncontrolled resource exhaustion issue in Portal for ArcGIS.
  • BUG-000132292 - When Portal for ArcGIS is highly available, if the original portal machine that was installed first is shutdown, index operations will fail.
  • BUG-000129710 - Portal for ArcGIS has an XML external entity (XXE) vulnerability.
  • BUG-000128634 - Unable to create a backup of the portal if an item is missing from the content directory
  • BUG-000128193 - Cross-site request forgery (CSRF) vulnerability in Portal for ArcGIS.
  • BUG-000128058 - Portal for ArcGIS has a Server Side Request Forgery (SSRF) security vulnerability.
  • BUG-000127472 - Stored XSS in Web AppBuilder.
  • BUG-000127276 - When accessing a secured service from a federated Server through Map Viewer or Web AppBuilder in Portal for ArcGIS 10.6.1 using IWA, the service token fails to regenerate automatically and causes the service to become blank when the token expires.
  • BUG-000126198 - Primary & Standby Portals are no longer accessible after pg_hba.conf entries get commented out.
  • BUG-000124953 - Portal for ArcGIS application information exposure
  • BUG-000124785 - After failover, if an incremental backup is requested but a full hasn't been run, run a full backup instead of incremental
  • BUG-000124382 - After allowing Google Chrome to save your account details, the 'Add Item' > 'From the web' option displays the error 'The service type is not valid'.
  • BUG-000123692 - Stored XSS in Portal for ArcGIS Map Viewer.
  • BUG-000123690 - Reflected cross-site scripting (XSS) in the Portal for ArcGIS home application. CVSS 3.0 Base Score: 5.4 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
  • BUG-000123331 - The Attribute Table widget does not show related records consistently.
  • BUG-000123137 - Database transaction logs are retained on standby when running the DR tool.
  • BUG-000123043 - Decrease the number of JavaScript files loaded when printing in the Portal map viewer.
  • BUG-000122662 - Include the userinfo folder during a backup .
  • BUG-000121732 - The custom basemap does not appear in the Web AppBuilder for ArcGIS Basemap widget although the group is set as the default in the Edit settings under Organization.
  • BUG-000121145 - Portal proxy does not fully validate allowedProxyHosts parameter.
  • BUG-000120392 - Smart Editor Widget Fails to Set Attribute Action Expressions in Portal for ArcGIS 10.6.1.
  • BUG-000120333 - Reflected cross-site scripting (XSS) in the Portal for ArcGIS home application.
  • BUG-000120300 - A publicly shared scene view prompts for authentication after 10 minutes of inactivity when using a scene service published to ArcGIS Enterprise 10.7 portal prerelease.
  • BUG-000120061 - Related data points to the same feature in Web AppBuilder for ArcGIS for Portal for ArcGIS when there are multiple relationships to the same feature class.
  • BUG-000119891 - Portal for ArcGIS profiles allow HTML injection (Only in 10.6.1, 10.5.1 and 10.4.1). CVSS 3.0 Base Score: 3.5 - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
  • BUG-000117926 - Unable to synchronize collaboration workspaces when the guest participant's content directory uses a Cloud Store.
  • BUG-000117564 - Privilege escalation vulnerability
  • BUG-000117369 - Reflected cross-site scripting (XSS) in item URL
  • BUG-000117367 - Un-validated redirect in Portal for ArcGIS
  • BUG-000117333 - The promote.dat file in the primary and standby portals causes constant creation of db snapshots in the standby arcgisportal folder.
  • BUG-000116870 - Unable to share Insights Workbooks, Pages and Model items to Everyone.
  • BUG-000116734 - The Attribute Table widget selections are not consistently honored by the Edit widget.
  • BUG-000116687 - Temporal filters created from tool parameters in Portal for ArcGIS Map Viewer are incorrectly formatted and cause tool failures.
  • BUG-000116405 - Portal for ArcGIS export site operation fails if the content directory path syntax utilizes forward slashes instead of back slashes.
  • BUG-000116195 - Panning and zooming in the web maps on a touch screen device does not work in Google Chrome 68.x.
  • BUG-000115964 - The App Launcher becomes unavailable after the external content is disabled.
  • BUG-000115859 - When selecting line or polygon features for layers with pop-ups enabled, the selection symbology does not match the actual feature geometry.
  • BUG-000114004 - The Show Related Records option in the Attribute Table widget returns no records in the related table.
  • BUG-000112707 - Reflected cross-site scripting (XSS) in Portal for ArcGIS Home application.
  • BUG-000112342 - The webgisdr incremental restore fails when Geo Analytics Server is federated and registered with Portal as the Geo Analytics Server.
  • ENH-000123305 - Include relationship name along with table name to better distinguish different relationships on the same table.
  • ENH-000116621 - Add the ability to modify the maximum token expiration time of tokens generated to login to Portal for ArcGIS when using IDP-initiated logins.

Installing this patch on Windows


Installation Steps:


This patch should be installed on all Portal for ArcGIS installations related to the Portal for ArcGIS site.

The ArcGIS product listed in the table must be installed on your system before you can install a patch. Each patch setup is specific to the ArcGIS product in the list. To determine which products are installed on your system, please see the How to identify which ArcGIS products are installed section. Esri recommends that you install the patch for each product that is on your system.

  1. Download the appropriate file to a location other than your ArcGIS installation location.

  2. ArcGIS Enterprise 10.6.1  
       
        Portal for ArcGIS ArcGIS-1061-PFA-Log4j-Patch.msp
         Checksum
         (SHA256)
    41BB0526743FC264B3AE9F23DA1995EE59AB119C080F1349D761F32C92022737
       

  3. Make sure you have write access to your ArcGIS installation location.

  4. Double-click ArcGIS-1061-PFA-Log4j-Patch.msp to start the setup process.

    NOTE: If double clicking on the MSP file does not start the setup installation, you can start the setup installation manually by using the following command:

    msiexec.exe /p [location of Patch]\ArcGIS-1061-PFA-Log4j-Patch.msp


Installing this patch on Linux


Installation Steps:


Complete the following install steps as the ArcGIS Install owner. The Install owner is the owner of the arcgis folder.

The ArcGIS product listed in the table must be installed on your system before you can install a patch. Each patch setup is specific to the ArcGIS product in the list. To determine which products are installed on your system, please see the How to identify which ArcGIS products are installed section. Esri recommends that you install the patch for each product that is on your system.

  1. Download the appropriate file to a location other than your ArcGIS installation location.


    ArcGIS Enterprise 10.6.1  
       
    Portal for ArcGIS ArcGIS-1061-PFA-Log4j-Patch-linux.tar
         Checksum
         (SHA256)
    070BECC624D838346D3FEB0658A93959AAE2B83D53E62CC8EA36E5A00F5100A8
       

  2. Make sure you have write access to your ArcGIS installation location, and that no one is using ArcGIS.

  3. Extract the specified tar file by typing:


    % tar -xvf ArcGIS-1061-PFA-Log4j-Patch-linux.tar

  4. Start the installation by typing:


    % ./applypatch

    This will start the dialog for the menu-driven installation procedure. Default selections are noted in parentheses ( ). To quit the installation procedure, type 'q' at any time.


Uninstalling this patch on Windows

    To uninstall this patch on Windows, open the Windows Control Panel and navigate to installed programs. Make sure that "View installed updates" (upper left side of the Programs and Features dialog) is active. Select the patch name from the programs list and click Uninstall to remove the patch.

Uninstalling this patch on Linux


    To uninstall this patch on Linux for ArcGIS 10.5.1 through 10.6.1, navigate to the /tmp directory and run the following script as the ArcGIS Install owner:

    Notes: You can only remove the patch that was installed most recently.

    ./patchremove
    Restart your ArcGIS services

Patch Updates

Check the Esri Support Downloads page periodically for the availability of additional patches. New information about this patch will be posted here.

February 23, 2022: As of February 23, 2022, a corrected Linux setup is available for this version of the Portal for ArcGIS Log4j Patch. The corrected setup takes care of a possible use case in which some files were not updated during the patch installation. If you installed the Linux version of the Portal for ArcGIS Log4j Patch before February 23, 2022, please uninstall the patch, and download and run the corrected setup now available on this page. After the corrected patch is installed, the patch title in the Patch Notification Tool and patch logs will be shown as “Portal for ArcGIS 10.6.1 Log4j Patch – Updated”. The Windows setup was not affected.

How to identify which ArcGIS products are installed

To determine which ArcGIS products are installed, choose the appropriate version of the PatchFinder utility for your environment and run it from your local machine. PatchFinder will list all products, hot fixes, and patches installed on your local machine.

Getting Help

Domestic sites, please contact Esri Technical Support at 1-888-377-4575, if you have any difficulty installing this patch. International sites, please contact your local Esri software distributor.