topic Re: ArcGIS Enterprise Security Patch Dec 2023 in ArcGIS Enterprise Questions

ArcGIS Enterprise Security Patch Dec 2023

ThomasHoman — Thu, 14 Dec 2023 15:07:50 GMT

Hi,

On the Dec 8 2023 Enterprise Security patch notice ( https://support.esri.com/en-us/patches-updates/2023/defective-arcgis-enterprise-patch ) there is very little actual detail beyond 'please wait for us/do nothing to get a fix in place' What is the actual problem so we can monitor for aberrant activity?

Is there a CVE generated for this event that provides additional details so I can log it with my IT department?

Tom

Re: ArcGIS Enterprise Security Patch Dec 2023

RyanUthoff — Thu, 14 Dec 2023 16:32:08 GMT

I just received notice of this yesterday and have this defective patch installed. Per the email that was sent out, it said the patch defect can have "serious consequences", yet doesn't specify what the "serious consequences" are. As the server administrator, I need to know what these consequences are so I can monitor for aberrant behavior like the original poster mentioned.

Edit: I realize that even if we knew what the consequences are, we might not be able to do much about it until Esri releases the fix. But at least I'd be able to immediately pinpoint the problem instead of spending hours trying to find it myself, reaching out to support, etc. We have hundreds of users that depend on Portal being up and running so it is vital that we are kept aware of these sorts of things and know what kind of behavior to expect from defective patches.

Re: ArcGIS Enterprise Security Patch Dec 2023

RandallWilliams — Thu, 14 Dec 2023 17:53:44 GMT

Hi James, Hi Ryan,

The ArcGIS Enterprise 11.1 version of this patch AND the required ArcGIS Validation and Repair tool are available. We describe the defect the original Portal for ArcGIS Enterprise Sites Security Patch introduced and also provide the download location here:

https://support.esri.com/en-us/patches-updates/2023/defective-arcgis-enterprise-patch

We recently updated our Portal for ArcGIS Validation and Repair tool page here:

https://support.esri.com/en-us/patches-updates/2023/portal-for-arcgis-validation-and-repair

We also recently updated our security advisory , which found under the Advisories section of the ArcGIS Trust Center.

The specific CVEs addressed in the are documented in the advisory.

Linux users are unaffected by the issues introduced by the flawed patch.

Users who have not yet installed the Portal for ArcGIS Enterprise Sites Security Patch can immediately remediate the security issues that this patch resolves with an upgrade to 11.2.

All of the issues that the Portal for ArcGIS Enterprise Sites Security Patch addresses require the ability for a malicious user to manage an ArcGIS Enterprise Site.

Mitigation options include temporarily revoking user memberships from the Sites Core Group.

Re: ArcGIS Enterprise Security Patch Dec 2023

MarcoBoeringa — Thu, 14 Dec 2023 17:55:04 GMT

I think the information you are looking for is on this page:

https://support.esri.com/en-us/patches-updates/2023/portal-for-arcgis-enterprise-sites-security-patch

I agree the description is not the clearest, but if I interpret this well, the main point seems to be the potential failure of a high availability "standby machine", as described in the quote visible below, which could of course be pretty problematic if your main server goes down due to a problem. Note that this issue only affects Windows installs according to the text:

BUG-000160830 - Installing the 11.1 version of the Portal for ArcGIS Enterprise Sites Security Patch results in failures on the standby machine in highly available environments. (11.1 only)

I think the other bug numbers mentioned in the quote below, are actually the exact same issue, just with a different bug number for each version of ArcGIS Enterprise:

The defects that motivated the temporary disablement of the patches are BUG-000163367 (version 11.1), BUG-000160895 (version 10.9.1), and BUG-000161711 (version 10.8.1) and only impact Windows.

Re: ArcGIS Enterprise Security Patch Dec 2023

RyanUthoff — Thu, 14 Dec 2023 18:13:56 GMT

Thank you for the link to the ArcGIS Trust Center. That gives me the information I was looking for. The technical support articles I've seen haven't included that link, so I wasn't aware it existed. And bug fixes in the corrected patch give the impression that the bug only exists in 11.1, even though the Portal for ArcGIS Validation and Repair tool is available for 10.8.1, 10.9.1, and 11.1. So overall, it's a little confusing to figure out what's going on but I appreciate your response.

Re: ArcGIS Enterprise Security Patch Dec 2023

JonEmch — Thu, 14 Dec 2023 19:03:15 GMT

Hello Ryan,

I can confirm that we have three separate issues so that we can track impact across different versions of ArcGIS Enterprise. We will be re-deploying the patch along with additional tooling for each affected version of ArcGIS Enterprise. More information to come!

Re: ArcGIS Enterprise Security Patch Dec 2023

RandallWilliams — Thu, 14 Dec 2023 21:23:06 GMT

To be clear, there are a few issues in play:

We released a series of patches for ArcGIS Enterprise Sites to address a few cross site scripting issues.
While the patches fixed those issues, on Windows hosts, it introduced an issue that could result in system availability challenges if additional patches or upgrades were subsequently installed.
- This is what prompted us to pull that patch, and it took some time to develop a fix. This is an unprecedented issue for us, and required a major engineering effort to us to release the tool that fixes this problem.
At the same time, we needed to produce a new patch for ArcGIS Enterprise Sites that wouldn't introduce this issue.

Re: ArcGIS Enterprise Security Patch Dec 2023

RandallWilliams — Thu, 14 Dec 2023 21:54:55 GMT

Regarding CVEs in general - when we release a security patch, we release an advisory that's discoverable on the ArcGIS Trust Center.

An easy way to review all of the CVEs we've released:

https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&isCpeNameSearch=false&cpe_vendor=cpe%3A%2F%3Aesri

Re: ArcGIS Enterprise Security Patch Dec 2023

ThomasHoman — Fri, 15 Dec 2023 02:24:34 GMT

Agreed. I had never heard of the trust portal as well.

Thanks you very much for the additional information.

Re: ArcGIS Enterprise Security Patch Dec 2023

Pei-SanTsai — Fri, 15 Dec 2023 18:36:29 GMT

Per Portal for ArcGIS Enterprise Sites 2023 Security Patch (esri.com), "Customers working with versions prior to ArcGIS 11.1 who cannot patch at this time may mitigate all security issues addressed by the Portal for ArcGIS Enterprise Sites Security Patch.

Mitigation Options include:

Option 1: Upgrade your deployment to ArcGIS Enterprise 11.2 to completely remediate these vulnerabilities.

Option 2: Remove members from ArcGIS Enterprise Sites Core Team groups.

In either case, ArcGIS Enterprise sites will remain accessible."

Please correct me if I'm interpreting this statement incorrectly. I'm using ArcGIS Enterprise 10.9.1 and have applied the patch back in June. Mitigation is one of the options listed above, meaning that I can upgrade to 11.2 to resolve the issue? I'm scheduled to upgrade our Dev Environment after the Christmas. Was planning to do 11.1 but with this issue will be upgrading to 11.2. Thank you!

Re: ArcGIS Enterprise Security Patch Dec 2023

RandallWilliams — Fri, 15 Dec 2023 18:41:56 GMT

NO. DO NOT ATTEMPT TO UPGRADE OR INSTALL ANY PATCHES UNTIL THE 10.9.1 Validation and Repair tool IS AVAILABLE.

Upgrading is an option to remediate the Sites vulnerabilities IF and ONLY IF this faulty patch has not yet been installed.

Re: ArcGIS Enterprise Security Patch Dec 2023

JonEmch — Tue, 19 Dec 2023 23:06:35 GMT

Hello folks,

We've made some substantial additions to our knowledge article on this issue: Defective Portal for ArcGIS Enterprise Sites Security Patch.

Please let me know if there are any questions, we are here to help.

Re: ArcGIS Enterprise Security Patch Dec 2023

RyanUthoff — Wed, 20 Dec 2023 14:24:11 GMT

@JonEmch Is WebGISDR affected by this defective patch? Hypothetically, let's say we have an ArcGIS Enterprise deployment with the defective patch installed. If for some reason, we needed to do a WebGISDR restore to a brand new environment with a fresh installation of ArcGIS Enterprise (without the defective patch installed), would we expect to see any problems with that?

Also, thank you for adding the additional information to the knowledge article! It is very detailed and thorough which I appreciate!

Edit: I realize that doing a WebGISDR restore to workaround this issue isn't ideal and my not be "recommended." I'm asking because we were already considering moving our Enterprise deployment to new machines, before this defective patch was made public.

Re: ArcGIS Enterprise Security Patch Dec 2023

JonEmch — Wed, 20 Dec 2023 15:46:59 GMT

@RyanUthoff

WebGISDR is not affected by this patch. This is a possible method of recovery however, I will caution you to wait until the new version of the Portal for ArcGIS Enterprise Sites Security patch is made available for your version of ArcGIS Enterprise before proceeding.

Re: ArcGIS Enterprise Security Patch Dec 2023

JuhaHaanpera — Wed, 27 Dec 2023 09:19:44 GMT

Hi,

I installed the Portal for ArcGIS Enterprise Sites 2023 Security Patch package on the ArcGIS Enterprise 11.1 Portal server. I followed the instructions exactly and first ran The Portal for ArcGIS Validation and Repair program, which fixed the faulty program.

After that, I installed all the available software fixes.

Finally, I ran the PatchFinder.exe Utility program to make sure that version C was installed on the machine. At this point, it is important to restart the Portal server.

After that, I carefully tested in the ArcGIS Enterprise environment that everything works as it should in the Portal's browser applications, Field Maps, and ArcGIS Pro. Everything seems to work perfectly. It is good to reserve 3-4 hours of working time for software patch installations per server.

Re: ArcGIS Enterprise Security Patch Dec 2023

RyanUthoff — Tue, 16 Jan 2024 17:03:40 GMT

Another question related to WebGISDR. Is changing the Portal Database password in the Portal Admin endpoint going to cause any issues related to this bug? We're testing the WebGISDR but don't know the password to the DB which we need for creating the initial Portal admin account in the new environment in order for the restore to work.

Of course we won't do the restore "for real" until after the fix is released. But I can't test the restore without changing the password first. If there is any risk associated with changing the Portal DB password, we'll wait. Otherwise, we'd like to go ahead and do some testing while we wait for the fix to be released. I'm just being overly cautious since I don't want to "trigger" the bug.