Esri has released the Portal for ArcGIS Security 2021 Update 1 Patch that resolves one high priority vulnerability and two medium priority security vulnerabilities across versions 10.9, 10.8.1, 10.8, 10.7.1, 10.6.1, and 10.6. As with all security patches, we encourage all system administrators to install security updates on relevant systems at your earliest opportunity.
This patch addresses one high severity vulnerability and two medium severity vulnerabilities have been addressed in the Portal for ArcGIS Security 2021 Update 1 Patch. This patch is available here.
We provide Common Vulnerability Scoring System (CVSS) scores to allow our customers to better assess risk of this vulnerability to their operations. Both the base score and a modified temporal score is provided to reflect the availability of an official patch. Please see Common Vulnerability Scoring System for more information on the definition of these metrics.
Vulnerabilities fixed in this patch include:
- There is a privilege escalation vulnerability in organization-specific logins in Esri Portal for ArcGIS versions 10.9 and below that may allow a remote, authenticated attacker to impersonate another account.
Common Vulnerability Scoring System (CVSS v3.1) Details
- 8.8 Base Score, 8.4 Temporal Score
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/RL:O/RC:C
Mitigations
- Implement SAML specific security best practices as documented in the ArcGIS Organization-Specific Logins FAQ
- Temporarily disable Organization Specific Logins (Not recommended)
Vulnerability Details
CVE-2021-29108 – Improper Verification of Cryptographic Signature CWE-347 – CVSS 8.4
Acknowledgements
Philipp Mao and Felix Aeppli with Compass Security
- A reflected Cross Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS version 10.9 and below may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the user’s browser.
Common Vulnerability Scoring System (CVSS v3.1) Details
- 6.1 Base Score, 5.8 Temporal Score
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/RL:O/RC:C
Vulnerability Details
CVE-2021-29109 – Cross Site Scripting (XXS) CWE-79 – CVSS 5.8
- A stored Cross Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS version 10.9 and below may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the user’s browser.
Common Vulnerability Scoring System (CVSS v3.1) Details
- 5.4 Base Score, 5.2 Temporal Score
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/RL:O/RC:C
Vulnerability Details
CVE-2021-29110 – Cross Site Scripting (XXS) CWE-79 – CVSS 5.2
- A stored Cross Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS before version 10.9.0 may allow a remote authenticated attackers able to inject arbitrary code which could potentially execute arbitrary JavaScript code in the user’s browser.
Common Vulnerability Scoring System (CVSS v3.1) Details
- 5.4 Base Score, 5.2 Temporal Score
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/RL:O/RC:C
Vulnerability Details
CVE-2021-3012 – Cross Site Scripting (XXS) CWE-79 – CVSS 5.2
Additional Notes:
This patch is highly recommended and encouraged for all customers running on currently supported versions of ArcGIS Enterprise (10.6, 10.6.1, 10.7.1, 10.8, 10.8.1).
As a new approach to help streamline the patching process for both customers and Esri, this patch will be a prerequisite for future patches of the Portal for ArcGIS component of ArcGIS Enterprise. As a consequence, this patch cannot be uninstalled once it has been applied to Windows systems. While the patch can be uninstalled on Linux systems, it will be required to install it again in such cases where future patches are desired.
This also means that this patch is cumulative of all hot fixes and patches previously built and released for the individual versions. Refer to the Issues Addressed section of the patch page for details on accumulated fixes as the set of fixes is not identical when comparing across versions.
Older patches that have been made obsolete by this new patch will no longer show up in the patch notification tool. Some older Portal for ArcGIS patches will still be listed in the cases where they are not accumulated into this one and are thus still required to be installed separately.
Article Discussion: