ArcGIS Portal patching order?

JustinMaynard · ‎02-22-2022

I was having cross scripting(XSS) errors come up on my security scans. I did a quick google search and found there was this patch available: ArcGIS Server Security 2021 Update 2 Patch (esri.com). After installing the patch I re-ran my security scanner and still had XSS errors. Doing more searching reviled that there was an earlier patch: Portal for ArcGIS Security 2021 Update 1 Patch (esri.com) . Does any one know if you can apply patches out of order?

ChristopherPawlyszyn · ‎02-23-2022

Security patches for different products are released at different frequencies, so you shouldn't have any problem with installing the Portal for ArcGIS security patch following the installation of the ArcGIS Server security patch.

-- Chris Pawlyszyn

Scott_Tansley · ‎02-27-2022

Hey, can I ask what security scans? I initially thought you meant the portalscan.py or serverscan.py, but the portalscan.py doens't seem to have reference to xss and while serverscan.py does:

That's a setting change in the admin API rather than a patch. I know that some people use third party security scanners or have penetration testers, and they may have picked up on this. If that's the case then the issue is likely in your web server, rather than Esri. For example, if you use IIS as a default build and install a Web Adaptor, the Web Adaptor does not harden IIS. You have to invest a fair amount of effort into IIS to tighten security and exclude/modify headers to meet this conditions.

Scott Tansley
https://www.linkedin.com/in/scotttansley/