Portal for ArcGIS Security 2020 Update 2 Patch is now live on the support site. This patch contains fixes for one critical and multiple high and moderate priority security issues.
The URL to download this patch is:
Portal for ArcGIS Security 2020 Update 2 Patch
https://support.esri.com/en/download/7837
Summary
Portal for ArcGIS Security 2020 Update 2 Patch is now available. This patch contains fixes for one critical security issue and multiple high and moderate priority security issues. Esri highly recommends customers using Portal for ArcGIS 10.7.1 and 10.6.1 install this patch. Users at version 10.6 and 10.7 should upgrade to 10.6.1 or 10.7.1 to install this patch. ArcGIS 10.5.1 is in mature support status and no longer receives patches. Users working with ArcGIS Enterprise 10.5.1 and below are encouraged to upgrade to versions 10.8.1 (preferred), 10.7.1 or 10.6.1 and install available security patches.
The following security issues are addressed in this patch:
BUG-000136840 SSRF vulnerability in Portal for ArcGIS.
CVSSv3.1 Base Score: 9.8 (Critical) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
BUG-000128193 Cross-site request forgery (CSRF) vulnerability in Portal for ArcGIS
CVSS 3.0 Base Score: 8.8 (High) CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
BUG-000132356 Reflected XSS vulnerability in Portal for ArcGIS
CVSS 3.1 Base Score: 8.8 (High) CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
BUG-000132357 Reflected XSS vulnerability in Portal for ArcGIS
CVSS 3.1 Base Score: 8.8 (High) CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
BUG-000132353 XXE and SSRF vulnerability in Portal for ArcGIS
CVSS 3.0 Base Score: 8.6 (High) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
BUG-000132351 Uncontrolled resource exhaustion issue in Portal for ArcGIS
CVSS 3.0 Base Score: 7.5 (High) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
BUG-000134926 Unvalidated redirect issue in the ArcGIS Enterprise portal sign in page
(10.7.1 only) CVSSv3.1 Base Score: 6.1 (Moderate) CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
BUG-000132449 Portal proxy does not fully honor allowedProxyHosts parameter
CVSS 3.1 Base Score: 5.9 (Moderate) CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
BUG-000132452 Reflected XSS in Portal for ArcGIS Home app (10.6.1 only)
CVSS 3.1 Base Score: 5.4 (Moderate) CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
BUG-000127472 Stored XSS issue in Web AppBuilder
CVSS 3.0 Base Score: 4.6 (Moderate) CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
BUG-000123692 Stored XSS in Portal for ArcGIS Map Viewer
CVSS 3.0 Base Score: 4.6 (Moderate) CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
BUG-000133255 Portal for ArcGIS system properties are not properly encrypted
CVSS 3.0 Base Score: 4.4 (Moderate) CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
BUG-000132359 Unable to make proxy requests to an external url after applying the Portal for ArcGIS Security 2020 Update 1 Patch
As follow up to the release of this revised patch, the following BUG updates were made.
-
BUG-000137920 – When installing Portal for ArcGIS Security 2020 Update 2 Patch, different names are displayed for Portal for ArcGIS content folders with non-English titles.
The Public Explanation now states:
Update March 22, 2021: The Portal for ArcGIS Security 2020 Update 2 Patch was re-released on March 22, 2021 to resolve BUG-000137920. The revised Portal for ArcGIS Security 2020 Update 2 Patch that includes a resolution for BUG-000137920 is now available for download on the support site. The URL is: https://support.esri.com/en/download/7837.
- BUG-000120300 – Avoid prompt for authentication on FeatureLayer associated to publicly shared SceneLayer.
Update March 22, 2021: The Portal for ArcGIS 10.6.1 Security 2020 Update 2 Patch was re-released on March 22, 2021 to include a fix for BUG-000120300. While a resolution for BUG-000120300 was planned for inclusion in the initial Portal for ArcGIS 10.6.1 Security 2020 Update 2 Patch, as noted in the Issues Addressed section of the patch page, further testing showed that the fix was not fully included in the patch. The revised version of the Portal for ArcGIS 10.6.1 Security 2020 Update 2 Patch that includes a resolution for BUG-000120300 is available for download on the support site.
The URL is: https://support.esri.com/en/download/7837.
The Portal for ArcGIS Security 2020 Update 2 Patch is now live on the support site. The URL is: https://support.esri.com/en/download/7837.
Esri strongly recommends that customers using Portal for ArcGIS 10.7.1 apply this patch in accordance with their organization’s timelines for addressing high priority security issues. Customers using Portal for ArcGIS 10.6.1 apply this patch in accordance with their organization’s timelines for addressing critical priority security issues
Article Discussion: