ArcGIS Enterprise

Portal for ArcGIS Security 2021 Update 1 Patch

Esri has released the Portal for ArcGIS Security 2021 Update 1 Patch that resolves a number of recently identified security vulnerabilities across versions 10.9, 10.8.1, 10.8, 10.7.1, 10.6.1, and 10.6. As with all security patches, we encourage all system administrators to install security updates on relevant systems at your earliest opportunity.

This patch addresses one high severity vulnerability and two medium severity vulnerabilities have been addressed in the Portal for ArcGIS Security 2021 Update 1 Patch. This patch is available here.

We provide Common Vulnerability Scoring System (CVSS) scores to allow our customers to better assess risk of this vulnerability to their operations. Both the base score and a modified temporal score is provided to reflect the availability of an official patch.  Please see Common Vulnerability Scoring System for more information on the definition of these metrics.

Vulnerabilities fixed in this patch include:

Common Vulnerability Scoring System (CVSS v3.1) Details

#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/RL:O/RC:C

Mitigations

Vulnerability Details

CVE coming soon – Improper Verification of Cryptographic Signature CWE-347 – CVSS 8.4

Acknowledgements 

Philipp Mao and Felix Aeppli with Compass Security

Common Vulnerability Scoring System (CVSS v3.1) Details

#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/RL:O/RC:C

Vulnerability Details

CVE coming soon – Cross Site Scripting (XXS) CWE-79 – CVSS 5.8

Common Vulnerability Scoring System (CVSS v3.1) Details

#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/RL:O/RC:C

Vulnerability Details

CVE coming soon – Cross Site Scripting (XXS) CWE-79 – CVSS 5.2

Additional Notes:

This patch is highly recommended and encouraged for all customers running on currently supported versions of ArcGIS Enterprise (10.6, 10.6.1, 10.7.1, 10.8, 10.8.1, and 10.9).

As a new approach to help streamline the patching process for both customers and Esri, this patch will be a prerequisite for future patches of the Portal for ArcGIS component of ArcGIS Enterprise. As a consequence, this patch cannot be uninstalled once it has been applied to Windows systems. While the patch can be uninstalled on Linux systems, it will be required to install it again in such cases where future patches are desired.

 This also means that this patch is cumulative of all hot fixes and patches previously built and released for the individual versions. Refer to the Issues Addressed section of the patch page for details on accumulated fixes as the set of fixes is not identical when comparing across versions.

Older patches that have been made obsolete by this new patch will no longer show up in the patch notification tool. Some older Portal for ArcGIS patches will still be listed in the cases where they are not accumulated into this one and are thus still required to be installed separately.

About the authors

I'm a member of the Software Security and Privacy Team. I also help out with Esri's Product Security Incident Response Team. I've been with Esri almost 14 years now. Before joining the Software Security and Privacy Team, I was a senior technical lead in Esri Support Services, focusing on deploying, securing, and using ArcGIS Enterprise technology.

Connect:

Article Discussion:

Leave a Reply

Please Login to comment

Next Article

What's New in ArcGIS StoryMaps (July 2021)

Read this article