Updated Portal for ArcGIS Enterprise Sites 2023 Security Patch and ArcGIS Validation and Repair tools released for versions 10.8.1, 10.9.1, and 11.1.
The release for version 10.8.1 concludes efforts to respond to the defective Portal for ArcGIS Enterprise Sites Security Patch.
March 21, 2024:A new setup for the ArcGIS Enterprise 10.8.1 Windows version of the Portal for ArcGIS Enterprise Sites Security Patch is now available. This new setup addresses an issue related to a defective patch installation on Windows, as described in BUG-000161711. Before installing this new patch, first run thePortal for ArcGIS Validation and Repairtool. The tool will validate your ArcGIS Enterprise deployment and determine if the defective patch is installed. If the defective patch is detected, you will be directed to use the tool to repair your deployment before you can install Portal for ArcGIS patches released as of December 2023.
The new setup, which replaces the defective patch, is named Portal for ArcGIS Enterprise Sites Security Patch. Note that the patch, when shown as available in the ArcGIS Enterprise Patch Notification tool, is listed as Portal for ArcGIS Enterprise Sites Security Patch (without the B suffix) with a release date of March 21, 2024; once installed, it is listed as Portal for ArcGIS Enterprise Sites Security Patch B.
More details about the defective patch installation are available from thisTechnical Support resource.
Patch history:Previous updates regarding this patch can be read in detail below the list of issues addressed with the patch.
| Windows | Linux | |
| 11.1 | Available as of Dec 12, 2023. Portal for ArcGIS 11.1 Enterprise Sites Security Patch C | Available as of Dec 12, 2023. Portal for ArcGIS 11.1 Enterprise Sites Security Patch C |
| 10.9.1 | Available as of February 12, 2024. Portal for ArcGIS 10.9.1 Enterprise Sites Security Patch B | Available as of Dec 12, 2023. Portal for ArcGIS 10.9.1 Enterprise Sites Security Patch B |
| 10.8.1 | Available as of March 21, 2024. Portal for ArcGIS 10.8.1 Enterprise Sites Security Patch B | Available as of Dec 12, 2023. Portal for ArcGIS 10.8.1 Enterprise Sites Security Patch B |
The Portal for ArcGIS 10.8.1 Validation and Repair tool is also live on the support site. The URL is:
https://support.esri.com/en-us/patches-updates/2023/portal-for-arcgis-validation-and-repair
Summary
Esri announces the Portal for ArcGIS Validation and Repair tool. The Portal for ArcGIS Validation and Repair tool must be run on all 11.1, 10.9.1 and 10.8.1 machines with Portal for ArcGIS installed.The Portal for ArcGIS Validation and Repair tool is specifically for deployments on Windows.
The tool will validate your deployment and determine if the defective Portal for ArcGIS Enterprise Sites Security Patch is installed. If the defective patch is detected, you will be directed to use the tool to repair the deployment. The repair will remove the defective patch and all other Portal for ArcGIS patches on the deployment.After completing the repair, Portal for ArcGIS patches will need to be reapplied either through the ArcGIS Enterprise Patch Notification tool or by downloading patches available from Esri.
Esri recommends scheduling the repair, as well as the reinstallation of patches, during a planned maintenance timeframe. This is because the Enterprise portal will be inaccessible while the repair and patch reinstallation take place, which can be for several hours. The time needed for repair depends on the number of patches installed as well as hardware and machine resources. Note that repair time will be significantly longer for Portal for ArcGIS Enterprise 10.8.1 deployments than other versions. The Portal for ArcGIS Validation and Repair tool reports a progress status as each patch is removed. If the tool must be terminated during the repair, it is possible to re-run the tool and resume the repair, but only after the machine has been restarted. The tool creates a log file and details on how to use the log are found in the Additional details section.
All Portal for ArcGIS patches released as of December 2023 will have a prerequisite requiring that the Portal for ArcGIS Validation and Repair tool is run successfully. Only following the successful validation of a deployment will it be possible to install new Portal for ArcGIS patches. Therefore, you will need to run the Portal for ArcGIS Validation and Repair tool prior to installing any Portal for ArcGIS patches released as of December 2023.
The Portal for ArcGIS Validation and Repair tool is available for download from the table below or from the ArcGIS Enterprise Patch Notification Tool that is installed with your deployment.
March 21, 2024:Portal for ArcGIS Validation and Repair tool is now available for version 10.8.1. Refer to thisTechnical Supportpage for information about these bugs and Esri’s planned response.
March 21, 2024: A new setup is now available for the Portal for ArcGIS 10.9.1 Validation and Repair tool. This new version of the tool includes resolutions for a possible upgrade failure and issues running the tool with no available disk space. This version also enhances tool resiliency when it is terminated during a repair and provides more informative logging. There is no need to run this new tool if you already used the previous version of the tool to successfully validate your Enterprise portal.
The new setup replaces the previous Portal for ArcGIS 10.9.1 Validation and Repair tool. When shown as available in the ArcGIS Enterprise Patch Notification tool, it is listed as Portal for ArcGIS 10.9.1 Validation and Repair (without the B suffix) with a release date of March 21, 2024; once installed, it is listed as Portal for ArcGIS Validation and Repair B. Note that the B version of the tool will run overtop of the previous version; there is no need to uninstall the previous version prior to running the new setup.
February 12, 2024: Portal for ArcGIS Validation and Repair tool is now available for version 10.9.1. Refer to thisTechnical Supportpage for information about these bugs and Esri’s planned response.
December 12, 2023: Portal for ArcGIS Validation and Repair tool is currently only available for version 11.1 Refer to thisTechnical Supportpage for information about these bugs and Esri’s planned response.
********************************
January 29, 2024: A defect has been identified in the Portal for ArcGIS Enterprise Sites Security Patch for 10.8.1, 10.9.1, and 11.1. This patch was initially released in late June 2023 and has been disabled for download as of October 12, 2023 while this defect is investigated.
The defect is described here.
The 11.1 version of this patch has been rereleased. Patches for previous versions are forthcoming. We have updated this advisory to provide guidance for those users who have not yet installed any version of the Portal for ArcGIS Enterprise Sites Security Patch and require interim mitigations to address the vulnerabilities fixed by those patches.
**********************************
Important note December 12, 2023: A new setup for the ArcGIS Enterprise 11.1 Windows version of the Portal for ArcGIS Enterprise Sites Security Patch is now available here. This new setup addresses an issue related to a defective patch installation on Windows, as described in BUG-000163367. Before installing this new patch, first run thePortal for ArcGIS Validation and Repairtool. The tool will validate your ArcGIS Enterprise deployment and determine if any defective patches are installed. If defective patches are detected, you will be directed to use the tool to repair your deployment before you can install Portal for ArcGIS patches released as of December 2023. Windows 10.9.1 and 10.8.1 versions of this patch will be released at a future date.
Linux is not impacted by BUG-000163367, BUG-000160895, and BUG-000161711, therefore all versions of the Linux patch are now available (11.1, 10.9.1 and 10.8.1) and do not require the Portal for ArcGIS Validation and Repair tool to be run.
Customers working with versions prior to ArcGIS 11.1 who cannot patch at this time may mitigate all security issues addressed by the Portal for ArcGIS Enterprise Sites Security Patch.
Mitigation Options include:
Option 1: Upgrade your deployment to ArcGIS Enterprise 11.2to completely remediate these vulnerabilities.
- IMPORTANT NOTE: This option is ONLY VALID if you have not yet installed the problematic ArcGIS Enterprise Sites Security Patch.
- If you HAVE installed the problematic ArcGIS Enterprise Sites Security Patch, option 2 remains viable.
- Do not attempt to upgrade without first running the Portal for ArcGIS Validation and Repair tool on any version of ArcGIS Enterprise.
Option 2: Remove members from ArcGIS Enterprise Sites Core Team groups.
In either case, ArcGIS Enterprise sites will remain accessible.
Important note October 12, 2023:The download of this patch has been temporarily disabled while a problem with the install of this patch is investigated. Specific to the 11.1 version of this patch, installing the Portal for ArcGIS Enterprise Sites Security Patch into version 11.1 highly available Portal for ArcGIS environments will result in failures because a user configured file is not properly restored. An uninstall of the Portal for ArcGIS 11.1 Enterprise Sites Security Patch does not resolve the failures. A corrected version of this patch will be available soon. For those who have already installed this patch and encountered failures in a highly available environment, please refer to thisEsri Technical Articlefor help.
Original Text: This patch contains fixes for one high security issue and multiple medium priority security issues. Esri highly recommends customers using Portal for ArcGIS 11.1 through 10.8.1 to install this patch. Users at version 10.7.1 should upgrade to 10.9.1 or 11.1 and install this patch. ArcGIS 10.7.1 is in mature support status and no longer receives patches. Users working with ArcGIS Enterprise 10.7.1 and below are encouraged to upgrade to versions 11.1 (preferred), 10.9.1 or 10.8.1 and install available security patches.
This patch was originally released on June 28, 2023.
We provideCommon Vulnerability Scoring System v.3.1 (CVSS)scores to allow our customers to better assess risk of these vulnerabilities to their operations. Both base and modified temporal scores are provided to reflect the availability of an official patch.
Vulnerabilities fixed by this patch
There is a Cross-site Scripting vulnerability in Esri Portal Sites in versions 10.8.1 – 11.1 that may allow a remote, authenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are high. The impact to Confidentiality, Integrity and Availability are High.
CVE Details: CVE-2023-25835
CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
CVSSv3.1 Base Score:8.4 (High) CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
CVSSv3.1 Environmentally Modified Score: 8.0 (High) CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H/RL:O
This issue affects ArcGIS Enterprise Sites: from 10.8.1 through 11.1.
ESRI Bug ID: [BUG-000153659 – A stored Cross Site Scripting (XSS) vulnerability in ArcGIS Enterprise Sites.]
There is a Cross-site Scripting vulnerability in Esri Portal Sites in versions 10.8.1 – 10.9 that may allow a remote, authenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are low.
CVE Details: CVE-2023-25837
CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
CVSSv3.1 Base Score: 8.4 (High) CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
CVSSv3.1 Environmentally Modified Score: 6.5 (Medium) CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
This issue affects Portal sites: from 10.8.1 through 10.9.
ESRI Bug ID: [BUG-000133088 – XSS in ArcGIS Enterprise sites.]CVE Details: CVE-2023-25836
CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
CVSSv3.1 Base Score: 5.4 (Medium) CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVSSv3.1 Environmentally Modified Score: 5.2 (Medium) CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
This issue affects Portal sites: from 10.8.1 through 10.9.
ESRI Bug ID: [BUG-000135364 -There is a cross-site scripting (XSS) vulnerability in ArcGIS Enterprise Sites.]
There is a Cross-site Scripting vulnerability in Esri Portal Sites in versions 10.8.1 – 10.9 that may allow a remote, authenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are high. The impact to Confidentiality, Integrity and Availability are High.
