ArcGIS Enterprise

Portal for ArcGIS Security 2021 Update 1 Patch

Esri has released the Portal for ArcGIS Security 2021 Update 1 Patch that resolves one high priority vulnerability and two medium priority security vulnerabilities across versions 10.9, 10.8.1, 10.8, 10.7.1, 10.6.1, and 10.6. As with all security patches, we encourage all system administrators to install security updates on relevant systems at your earliest opportunity.

This patch addresses one high severity vulnerability and two medium severity vulnerabilities have been addressed in the Portal for ArcGIS Security 2021 Update 1 Patch. This patch is available here.

We provide Common Vulnerability Scoring System (CVSS) scores to allow our customers to better assess risk of this vulnerability to their operations. Both the base score and a modified temporal score is provided to reflect the availability of an official patch.  Please see Common Vulnerability Scoring System for more information on the definition of these metrics.

Vulnerabilities fixed in this patch include:

Common Vulnerability Scoring System (CVSS v3.1) Details



Vulnerability Details

CVE-2021-29108 – Improper Verification of Cryptographic Signature CWE-347 – CVSS 8.4


Philipp Mao and Felix Aeppli with Compass Security

Common Vulnerability Scoring System (CVSS v3.1) Details


Vulnerability Details

CVE-2021-29109 – Cross Site Scripting (XXS) CWE-79 – CVSS 5.8

Common Vulnerability Scoring System (CVSS v3.1) Details


Vulnerability Details

CVE-2021-29110 – Cross Site Scripting (XXS) CWE-79 – CVSS 5.2

Additional Notes:

This patch is highly recommended and encouraged for all customers running on currently supported versions of ArcGIS Enterprise (10.6, 10.6.1, 10.7.1, 10.8, 10.8.1, and 10.9).

As a new approach to help streamline the patching process for both customers and Esri, this patch will be a prerequisite for future patches of the Portal for ArcGIS component of ArcGIS Enterprise. As a consequence, this patch cannot be uninstalled once it has been applied to Windows systems. While the patch can be uninstalled on Linux systems, it will be required to install it again in such cases where future patches are desired.

 This also means that this patch is cumulative of all hot fixes and patches previously built and released for the individual versions. Refer to the Issues Addressed section of the patch page for details on accumulated fixes as the set of fixes is not identical when comparing across versions.

Older patches that have been made obsolete by this new patch will no longer show up in the patch notification tool. Some older Portal for ArcGIS patches will still be listed in the cases where they are not accumulated into this one and are thus still required to be installed separately.

Inline Feedbacks
View all comments

Next Article

Time-saving tips for managing members in ArcGIS Online

Read this article