ArcGIS Portal patching order?

313
2
02-22-2022 01:32 PM
JustinMaynard
New Contributor

I was having cross scripting(XSS) errors come up on my security scans. I did a quick google search and found there was this patch available: ArcGIS Server Security 2021 Update 2 Patch (esri.com). After installing the patch I re-ran my security scanner and still had  XSS errors. Doing more searching reviled that there was an earlier patch: Portal for ArcGIS Security 2021 Update 1 Patch (esri.com) . Does any one know if you can apply patches out of order?

 

 

 

 

Tags (3)
0 Kudos
2 Replies
ChristopherPawlyszyn
Esri Contributor

Security patches for different products are released at different frequencies, so you shouldn't have any problem with installing the Portal for ArcGIS security patch following the installation of the ArcGIS Server security patch.


-- Chris Pawlyszyn
0 Kudos
Scott_Tansley
Regular Contributor

Hey, can I ask what security scans?  I initially thought you meant the portalscan.py or serverscan.py, but the portalscan.py doens't seem to have reference to xss and while serverscan.py does:

Scott_Tansley_0-1645998868407.png

That's a setting change in the admin API rather than a patch.  I know that some people use third party security scanners or have penetration testers, and they may have picked up on this.  If that's the case then the issue is likely in your web server, rather than Esri.  For example, if you use IIS as a default build and install a Web Adaptor, the Web Adaptor does not harden IIS.  You have to invest a fair amount of effort into IIS to tighten security and exclude/modify headers to meet this conditions.  

Scott Tansley
Consulting Architect (ArcGIS Enterprise)
https://www.linkedin.com/in/scotttansley/
0 Kudos