ArcGIS Enterprise

Portal for ArcGIS Security 2020 Update 2 Patch resolves one critical and multiple high priority security issues

Portal for ArcGIS Security 2020 Update 2 Patch is now live on the support site. This patch contains fixes for one critical and multiple high and moderate priority security issues.

The URL to download this patch is:

Portal for ArcGIS Security 2020 Update 2 Patch

https://support.esri.com/en/download/7837

Summary

Portal for ArcGIS Security 2020 Update 2 Patch is now available. This patch contains fixes for one critical security issue and multiple high and moderate priority security issues. Esri highly recommends customers using Portal for ArcGIS 10.7.1 and 10.6.1 install this patch. Users at version 10.6 and 10.7 should upgrade to 10.6.1 or 10.7.1 to install this patch. ArcGIS 10.5.1 is in mature support status and no longer receives patches. Users working with ArcGIS Enterprise 10.5.1 and below are encouraged to upgrade to versions 10.8.1 (preferred), 10.7.1 or 10.6.1 and install available security patches.

The following security issues are addressed in this patch:

BUG-000136840 SSRF vulnerability in Portal for ArcGIS.
CVSSv3.1 Base Score: 9.8 (Critical) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

BUG-000128193 Cross-site request forgery (CSRF) vulnerability in Portal for ArcGIS
CVSS 3.0 Base Score: 8.8 (High) CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

BUG-000132356 Reflected XSS vulnerability in Portal for ArcGIS
CVSS 3.1 Base Score: 8.8 (High) CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

BUG-000132357 Reflected XSS vulnerability in Portal for ArcGIS
CVSS 3.1 Base Score: 8.8 (High)  CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

BUG-000132353 XXE and SSRF vulnerability in Portal for ArcGIS
CVSS 3.0 Base Score: 8.6 (High) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

BUG-000132351 Uncontrolled resource exhaustion issue in Portal for ArcGIS
CVSS 3.0 Base Score: 7.5 (High) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

BUG-000134926  Unvalidated redirect issue in the ArcGIS Enterprise portal sign in page
(10.7.1 only) CVSSv3.1 Base Score: 6.1 (Moderate) CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

BUG-000132449  Portal proxy does not fully honor allowedProxyHosts parameter
CVSS 3.1 Base Score: 5.9 (Moderate) CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

BUG-000132452 Reflected XSS in Portal for ArcGIS Home app (10.6.1 only)
CVSS 3.1 Base Score: 5.4 (Moderate) CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

BUG-000127472 Stored XSS issue in Web AppBuilder
CVSS 3.0 Base Score: 4.6 (Moderate) CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

BUG-000123692 Stored XSS in Portal for ArcGIS Map Viewer
CVSS 3.0 Base Score: 4.6 (Moderate) CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

BUG-000133255 Portal for ArcGIS system properties are not properly encrypted
CVSS 3.0 Base Score: 4.4 (Moderate) CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

BUG-000132359  Unable to make proxy requests to an external url after applying the Portal for ArcGIS Security 2020 Update 1 Patch

Esri strongly recommends that customers using Portal for ArcGIS 10.7.1 apply this patch in accordance with their organization’s timelines for addressing high priority security issues. Customers using Portal for ArcGIS 10.6.1 apply this patch in accordance with their organization’s timelines for addressing critical priority security issues

Leave a Reply

Please Login to comment

Next Article

Deep Learning with ArcGIS Pro Tips & Tricks: Part 2

Read this article