{"id":2006792,"date":"2024-03-21T09:08:16","date_gmt":"2024-03-21T16:08:16","guid":{"rendered":"https:\/\/www.esri.com\/arcgis-blog\/?post_type=blog&p=2006792"},"modified":"2024-05-13T13:35:26","modified_gmt":"2024-05-13T20:35:26","slug":"portal-for-arcgis-enterprise-sites-security-patch-is-now-available","status":"publish","type":"blog","link":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/portal-for-arcgis-enterprise-sites-security-patch-is-now-available","title":{"rendered":"Portal for ArcGIS Enterprise Sites 2023 Security Patch update"},"author":136891,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","format":"standard","meta":{"_acf_changed":false,"_searchwp_excluded":""},"categories":[37501],"tags":[24081,759222,24071,241722],"industry":[],"product":[763582],"class_list":["post-2006792","blog","type-blog","status-publish","format-standard","hentry","category-administration","tag-ssamymlgp","tag-cve","tag-security","tag-ssamlymlgp","product-trust-arcgis"],"acf":{"authors":[{"ID":136891,"user_firstname":"Mark","user_lastname":"Bierman","nickname":"Mark Bierman","user_nicename":"mbierman","display_name":"Mark Bierman","user_email":"MBierman@esri.com","user_url":"","user_registered":"2020-12-08 21:10:04","user_description":"","user_avatar":""},{"ID":5311,"user_firstname":"Randall","user_lastname":"Williams","nickname":"Randall Williams","user_nicename":"randallwilliams","display_name":"Randall Williams","user_email":"randall_williams@esri.com","user_url":"https:\/\/trust.arcgis.com","user_registered":"2018-03-02 00:17:03","user_description":"","user_avatar":""},{"ID":3911,"user_firstname":"Michael","user_lastname":"Young","nickname":"Michael Young","user_nicename":"myoung1000","display_name":"Michael Young","user_email":"myoung@esri.com","user_url":"http:\/\/trust.arcgis.com","user_registered":"2018-03-02 00:15:29","user_description":"","user_avatar":""}],"short_description":"An update regarding the ArcGIS Enterprise Sites Security Patch re-release.","flexible_content":[{"acf_fc_layout":"content","content":"

Updated Portal for ArcGIS Enterprise Sites 2023 Security Patch and ArcGIS Validation and Repair tools released for versions 10.8.1, 10.9.1, and 11.1.<\/strong><\/p>\n

The release for version 10.8.1 concludes efforts to respond to the defective Portal for ArcGIS Enterprise Sites Security Patch.<\/p>\n

March 21, 2024:\u00a0<\/strong>A new setup for the ArcGIS Enterprise 10.8.1 Windows version of the Portal for ArcGIS Enterprise Sites Security Patch is now available. This new setup addresses an issue related to a defective patch installation on Windows, as described in BUG-000161711. Before installing this new patch, first run the\u00a0Portal for ArcGIS Validation and Repair<\/a>\u00a0tool. The tool will validate your ArcGIS Enterprise deployment and determine if the defective patch is installed. If the defective patch is detected, you will be directed to use the tool to repair your deployment before you can install Portal for ArcGIS patches released as of December 2023.<\/p>\n

The new setup, which replaces the defective patch, is named Portal for ArcGIS Enterprise Sites Security Patch. Note that the patch, when shown as available in the ArcGIS Enterprise Patch Notification tool, is listed as Portal for ArcGIS Enterprise Sites Security Patch (without the B suffix) with a release date of March 21, 2024; once installed, it is listed as Portal for ArcGIS Enterprise Sites Security Patch B.<\/p>\n

More details about the defective patch installation are available from this\u00a0Technical Support resource<\/a>.<\/p>\n

Patch history:\u00a0<\/strong>Previous updates regarding this patch can be read in detail below the list of issues addressed with the patch.\u00a0<\/strong><\/p>\n

 <\/p>\n\n\n\n\n\n\n\n
\u00a0<\/strong><\/td>\nWindows<\/strong><\/td>\nLinux<\/strong><\/td>\n<\/tr>\n<\/thead>\n
11.1<\/td>\nAvailable as of Dec 12, 2023. \u00a0 Portal for ArcGIS 11.1 Enterprise Sites Security Patch C<\/td>\nAvailable as of Dec 12, 2023. Portal for ArcGIS 11.1 Enterprise Sites Security Patch C<\/td>\n<\/tr>\n
10.9.1<\/td>\nAvailable as of February 12, 2024. Portal for ArcGIS 10.9.1 Enterprise Sites Security Patch B<\/td>\nAvailable as of Dec 12, 2023. Portal for ArcGIS 10.9.1 Enterprise Sites Security Patch B<\/td>\n<\/tr>\n
10.8.1<\/td>\nAvailable as of March 21, 2024. Portal for ArcGIS 10.8.1 Enterprise Sites Security Patch B<\/td>\nAvailable as of Dec 12, 2023. Portal for ArcGIS 10.8.1 Enterprise Sites Security Patch B<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

 <\/p>\n

The Portal for ArcGIS 10.8.1 Validation and Repair tool is also live on the support site. The URL is:<\/p>\n

https:\/\/support.esri.com\/en-us\/patches-updates\/2023\/portal-for-arcgis-validation-and-repair<\/a><\/p>\n

Summary<\/strong><\/p>\n

Esri announces the Portal for ArcGIS Validation and Repair tool. The Portal for ArcGIS Validation and Repair tool must be run on all 11.1, 10.9.1 and 10.8.1 machines with Portal for ArcGIS installed.\u00a0The Portal for ArcGIS Validation and Repair tool is specifically for deployments on Windows.<\/p>\n

The tool will validate your deployment and determine if the defective Portal for ArcGIS Enterprise Sites Security Patch is installed. If the defective patch is detected, you will be directed to use the tool to repair the deployment. The repair will remove the defective patch and all other Portal for ArcGIS patches on the deployment.\u00a0After completing the repair, Portal for ArcGIS patches will need to be reapplied either through the ArcGIS Enterprise Patch Notification tool or by downloading patches available from Esri.<\/p>\n

Esri recommends scheduling the repair, as well as the reinstallation of patches, during a planned maintenance timeframe. This is because the Enterprise portal will be inaccessible while the repair and patch reinstallation take place, which can be for several hours. The time needed for repair depends on the number of patches installed as well as hardware and machine resources. Note that repair time will be significantly longer for Portal for ArcGIS Enterprise 10.8.1 deployments than other versions. The Portal for ArcGIS Validation and Repair tool reports a progress status as each patch is removed. If the tool must be terminated during the repair, it is possible to re-run the tool and resume the repair, but only after the machine has been restarted. The tool creates a log file and details on how to use the log are found in the Additional details section.<\/p>\n

All Portal for ArcGIS patches released as of December 2023 will have a prerequisite requiring that the Portal for ArcGIS Validation and Repair tool is run successfully. Only following the successful validation of a deployment will it be possible to install new Portal for ArcGIS patches. Therefore, you will need to run the Portal for ArcGIS Validation and Repair tool prior to installing any Portal for ArcGIS patches released as of December 2023.<\/p>\n

The Portal for ArcGIS Validation and Repair tool is available for download from the table below or from the ArcGIS Enterprise Patch Notification Tool that is installed with your deployment.<\/p>\n

March 21, 2024:\u00a0<\/strong>Portal for ArcGIS Validation and Repair tool is now available for version 10.8.1. Refer to this\u00a0Technical Support<\/a>\u00a0page for information about these bugs and Esri’s planned response.<\/p>\n

March 21, 2024:<\/strong> A new setup is now available for the Portal for ArcGIS 10.9.1 Validation and Repair tool. This new version of the tool includes resolutions for a possible upgrade failure and issues running the tool with no available disk space. This version also enhances tool resiliency when it is terminated during a repair and provides more informative logging. There is no need to run this new tool if you already used the previous version of the tool to successfully validate your Enterprise portal.<\/p>\n

The new setup replaces the previous Portal for ArcGIS 10.9.1 Validation and Repair tool. When shown as available in the ArcGIS Enterprise Patch Notification tool, it is listed as Portal for ArcGIS 10.9.1 Validation and Repair (without the B suffix) with a release date of March 21, 2024; once installed, it is listed as Portal for ArcGIS Validation and Repair B. Note that the B version of the tool will run overtop of the previous version; there is no need to uninstall the previous version prior to running the new setup.<\/p>\n

February 12, 2024<\/strong>: Portal for ArcGIS Validation and Repair tool is now available for version 10.9.1. Refer to this\u00a0Technical Support<\/a>\u00a0page for information about these bugs and Esri’s planned response.<\/p>\n

December 12, 2023<\/strong>: Portal for ArcGIS Validation and Repair tool is currently only available for version 11.1 Refer to this\u00a0Technical Support<\/a>\u00a0page for information about these bugs and Esri’s planned response.<\/p>\n

********************************<\/p>\n

January 29, 2024: <\/strong>A defect has been identified in the Portal for ArcGIS Enterprise Sites Security Patch for 10.8.1, 10.9.1, and 11.1. This patch was initially released in late June 2023 and has been disabled for download as of October 12, 2023 while this defect is investigated.<\/p>\n

The defect is described here<\/a>.<\/p>\n

The 11.1 version of this patch has been rereleased. Patches for previous versions are forthcoming. We have updated this advisory to provide guidance for those users who have not yet installed any version of the Portal for ArcGIS Enterprise Sites Security Patch and require interim mitigations to address the vulnerabilities fixed by those patches.<\/p>\n

**********************************<\/p>\n

Important note December 12, 2023:<\/b> A new setup for the ArcGIS Enterprise 11.1 Windows version of the Portal for ArcGIS Enterprise Sites Security Patch is now available here<\/a>. This new setup addresses an issue related to a defective patch installation on Windows, as described in BUG-000163367. Before installing this new patch, first run the\u00a0Portal for ArcGIS Validation and Repair<\/a>\u00a0tool. The tool will validate your ArcGIS Enterprise deployment and determine if any defective patches are installed. If defective patches are detected, you will be directed to use the tool to repair your deployment before you can install Portal for ArcGIS patches released as of December 2023. Windows 10.9.1 and 10.8.1 versions of this patch will be released at a future date.<\/p>\n

Linux is not impacted by BUG-000163367, BUG-000160895, and BUG-000161711, therefore all versions of the Linux patch are now available (11.1, 10.9.1 and 10.8.1) and do not require the Portal for ArcGIS Validation and Repair tool to be run.<\/p>\n

Customers working with versions prior to ArcGIS 11.1 who cannot patch at this time may mitigate all security issues addressed by the Portal for ArcGIS Enterprise Sites Security Patch.<\/p>\n

Mitigation Options include:<\/strong><\/p>\n

Option 1: Upgrade your deployment to ArcGIS Enterprise 11.2\u00a0to completely remediate these vulnerabilities.<\/p>\n