ArcGIS Enterprise Security Patch Dec 2023

ThomasHoman · ‎12-14-2023

Hi,

On the Dec 8 2023 Enterprise Security patch notice ( https://support.esri.com/en-us/patches-updates/2023/defective-arcgis-enterprise-patch ) there is very little actual detail beyond 'please wait for us/do nothing to get a fix in place' What is the actual problem so we can monitor for aberrant activity?

Is there a CVE generated for this event that provides additional details so I can log it with my IT department?

Tom

RandallWilliams · ‎12-14-2023

Regarding CVEs in general - when we release a security patch, we release an advisory that's discoverable on the ArcGIS Trust Center.

An easy way to review all of the CVEs we've released:

https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&is...

JonEmch · ‎12-19-2023

Hello folks,

We've made some substantial additions to our knowledge article on this issue: Defective Portal for ArcGIS Enterprise Sites Security Patch.

Please let me know if there are any questions, we are here to help.

Keep on keeping on!

RyanUthoff · ‎12-19-2023

@JonEmch Is WebGISDR affected by this defective patch? Hypothetically, let's say we have an ArcGIS Enterprise deployment with the defective patch installed. If for some reason, we needed to do a WebGISDR restore to a brand new environment with a fresh installation of ArcGIS Enterprise (without the defective patch installed), would we expect to see any problems with that?

Also, thank you for adding the additional information to the knowledge article! It is very detailed and thorough which I appreciate!

Edit: I realize that doing a WebGISDR restore to workaround this issue isn't ideal and my not be "recommended." I'm asking because we were already considering moving our Enterprise deployment to new machines, before this defective patch was made public.

JonEmch · ‎12-20-2023

@RyanUthoff

WebGISDR is not affected by this patch. This is a possible method of recovery however, I will caution you to wait until the new version of the Portal for ArcGIS Enterprise Sites Security patch is made available for your version of ArcGIS Enterprise before proceeding.

Keep on keeping on!

RyanUthoff · ‎01-16-2024

Another question related to WebGISDR. Is changing the Portal Database password in the Portal Admin endpoint going to cause any issues related to this bug? We're testing the WebGISDR but don't know the password to the DB which we need for creating the initial Portal admin account in the new environment in order for the restore to work.

Of course we won't do the restore "for real" until after the fix is released. But I can't test the restore without changing the password first. If there is any risk associated with changing the Portal DB password, we'll wait. Otherwise, we'd like to go ahead and do some testing while we wait for the fix to be released. I'm just being overly cautious since I don't want to "trigger" the bug.

JuhaHaanpera · ‎12-27-2023

Hi,

I installed the Portal for ArcGIS Enterprise Sites 2023 Security Patch package on the ArcGIS Enterprise 11.1 Portal server. I followed the instructions exactly and first ran The Portal for ArcGIS Validation and Repair program, which fixed the faulty program.

After that, I installed all the available software fixes.

Finally, I ran the PatchFinder.exe Utility program to make sure that version C was installed on the machine. At this point, it is important to restart the Portal server.

After that, I carefully tested in the ArcGIS Enterprise environment that everything works as it should in the Portal's browser applications, Field Maps, and ArcGIS Pro. Everything seems to work perfectly. It is good to reserve 3-4 hours of working time for software patch installations per server.