BLOG
|
The Case: Our team was recently asked to assist with troubleshooting an odd set of failures when adding data hosted on ArcGIS Online to ArcGIS Pro. When adding ArcGIS Online hosted feature services to the ArcGIS Pro project, the customer received error 499: Invalid token. They were already signed into ArcGIS Online, so it didn't seem like there was an issue with the token. Pro was functioning correctly on every other host in this organization. Odd that this issue would be localized to one machine. This mystery problem was blocking acceptance of a migration, as this particular host was leveraged with some additional integrations and customizations, and the host was purchased explicitly for its designated workflow. Symptoms: ArcGIS Pro was slow to load Adding hosted feature services to a new ArcGIS Pro project failed with error "Authentication Token required (status code 499) Running previously successful scripting/geoprocessing tasks failed with ERROR 160228, "The user does not have permission to execute the operation. The customer was logged into ArcGIS Online successfully, so unless something upstream was somehow mangling an authorization token, it seemed that there was something else in play. Given the error, we needed to check to see if ArcGIS Pro was having an issue accessing an OAuth resource or perhaps some generateToken call was failing. To do that, we broke out Fiddler4. While using Fiddler to monitor the web traffic between ArcGIS Pro and ArcGIS Online while adding content, we immediately noticed that none of the CRL/OSCP links were accessible - the error was HTTP 502 (bad gateway). So what's OCSP and what's a CRL anyway? OCSP is the Online Certificate Status Protocol. It's an alternative to CRL (Certificate Revocation Link). OCSP and CRL are two of the most common ways web browsers use to check if a site’s certificate has been revoked. A CRL is a list containing serial numbers of all certificates that have been revoked by a Certificate Authority. OCSP is a protocol used to discover the revocation status of a certificate and contains signatures that assert a certificate has not been revoked. This makes it a more effective and efficient validation process, as unlike CRL it does not require a list to be downloaded to discover the status of a certificate. Why did this matter? An HTTP 502 (bad gateway) blocking these URLs is suspect. OCSP and CRL links are expected to be accessible via plaintext HTTP. After all, if a certificate is compromised, how do you validate the status of the certificate using HTTPS? The Windows crypto API won't even try to connect to a CRL or OCSP link over HTTPS. So why were these resources blocked? The answer was simple - the customer had included this host in a firewall policy that blocked all outbound plaintext HTTP - including CRL and OCSP. Organizations sometimes misinterpret PCI/DSS compliance controls to mean communication using plaintext is prohibited, but that's not the case. 1.2.1 - Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic. 1.3.4 - Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet. As long as there is a legitimate reason for this traffic (which there is - OCSP and CRL are served over plaintext), and it is limited to the specific systems and external addresses that are required (CRL and OCSP should always be on allow lists - don't miss this during your firewall log reviews) then there is no issue with sending traffic to a plaintext resource. It seems like ArcGIS Pro didn't handle blocked connections to OCSP and CRL links well and threw a misleading error message when it could not get past the failed certificate revocation checks. Resolution: The customer's firewall team created and documented exceptions to allow outbound connections to: http://s.ss2.us/r.crl http://ocsp.rootg2.amazontrust.com/* http://crl.rootg2.amazontrust.com/rootg2.crl http://crl3.digicert.com/DigiCertGlobalRootG2.crl http://crl.rootca1.amazontrust.com/rootca1.crl http://ocsp.digicert.com/* For good measure, they also added http://ctldl.windowsupdate.com to the allow list, since that's the resource Windows uses to check for Windows updates, including to update it's own list of root CA certs. Meanwhile, we're working with support to improve our doc and error messaging/handling to make this a little more obvious, as we expect more and more users to run into this situation as they implement ZTA patterns. References: https://community.isc2.org/t5/Tech-Talk/PCI-and-revocation-checking-for-public-trusted-certificates/td-p/31830
... View more
12-11-2023
02:50 PM
|
4
|
0
|
642
|
BLOG
|
No worries, here's the link: https://trust.arcgis.com/en/customer-documents/ArcGIS_Enterprise_AV_Guidance.pdf
... View more
11-20-2023
08:35 AM
|
4
|
0
|
2789
|
BLOG
|
There is an updated version in the customer exclusive documents repository in the ArcGIS Trust Center. https://trust.arcgis.com/en/customer-documents/
... View more
11-20-2023
06:03 AM
|
3
|
0
|
2850
|
POST
|
Esri's current statement regarding LibWebP is: Esri utilizes the LibWebP library in a number of products, however they have not been demonstrated as exploitable at this time. Out of an abundance of caution, all products utilizing the LibWebP component will be updated as part of the next product release. Patches for older versions will be considered for products where there is additional risk identified.
... View more
10-17-2023
08:39 AM
|
4
|
0
|
1082
|
POST
|
Esri is aware of CVE-2023-4863, which has recently seen broad media attention due to the impact to the commonly leveraged image library libwebp. We are also tracking CVE-2023-5217, which has not attracted as much media attention. The libwebp library is used to process images created in the webp image format. CVE-2023-4863 is known to have been exploited in the wild by an attacker tricking a victim into opening an HTML page that contains a specifically crafted webp image, triggering a buffer overflow. CVE-2023-5217 is a similar issue, found in libvpx. The libpvx library is used to process videos created with the VPX codec. CVE-2023-5217 is also known to have been exploited in the wild. We are investigating the impact of these vulnerabilities in these 3rd party components in our software. We encourage you to subscribe to the RSS feed on the ArcGIS Trust Center for the latest as it becomes available.
... View more
10-02-2023
01:43 PM
|
8
|
0
|
1759
|
POST
|
Web server logs will be the best way to collect this information.
... View more
08-30-2023
06:05 AM
|
0
|
1
|
1395
|
BLOG
|
OOPS, I'm forever tranposing the vuln scan guidnce and the AV guidance and the link is indeed broken. I'll work with our doc team to get this fixed.
... View more
08-28-2023
11:00 AM
|
1
|
0
|
3473
|
POST
|
Agree on the "too many layers" point. those should be split into different services with themes. Nobody's going to view all 100 of those layers at a time. I believe that this may be the answer to your question though: https://enterprise.arcgis.com/en/server/10.6/publish-services/windows/map-authoring-considerations.htm#ESRI_SECTION1_4C54586DEB0445B4B97AF15856E546AB
... View more
08-28-2023
08:04 AM
|
1
|
0
|
853
|
POST
|
Looks like your front end web server may only support HTTP/2, where Workflow Manager likely requires HTTP/1.1. - or potentially vice-versa. Because the front end is sending in a format than the back-end server expects, an error is thrown.
... View more
08-28-2023
08:01 AM
|
0
|
1
|
1551
|
BLOG
|
Link changed w/ version 3.1: https://trust.arcgis.com/en/customer-documents/ArcGIS_Vulnerability_Scanning_Guidance_v31.pdf Check out the other resources in the customer exclusive area of the ArcGIS Trust Center. You may also find the WAF guide helpful.
... View more
08-28-2023
07:50 AM
|
0
|
0
|
3500
|
BLOG
|
@CarlosBarahona Yes. We recently implemented the webAuthN API and are working on the design to allow admins to require MFA for built-in accounts. WebAuthN was a prerequisite. This feature should be implemented in the near future.
... View more
08-07-2023
08:07 AM
|
1
|
0
|
1266
|
POST
|
In a future release, we'll be offering a headless token approach that should ease some of this challenge. That will allow for mandatory MFA for user accounts along with the ability to use "service accounts". ArcGIS Enterprise now supports gMSA out of the box.
... View more
08-07-2023
06:54 AM
|
2
|
0
|
647
|
POST
|
Sorry about that, I could have sworn they were archives, not binary files. You can explode the cache using desktop or a tool like https://mapproxy.org/docs/1.13.0/mapproxy_util.html#export
... View more
07-28-2023
10:38 AM
|
0
|
0
|
553
|
POST
|
It's possible, but you shouldn't have to and I'd recommend against it. A .bundle file is just a gzipped collection of files and folders, and modern AV scanners should be able to see inside of it without unpacking it. 7zip should be able to open a cache bundle, but depending on how many tiles and LODs there are, it could take a very very long time to extract them all and may consume a lot of space on disk.
... View more
07-26-2023
07:15 AM
|
1
|
1
|
569
|
POST
|
If your IA team needs an artifact, they can look this up in our 3rd party CVE response tool. It's in the customer exclusive documents are in the ArcGIS Trust Center.
... View more
07-07-2023
08:27 AM
|
2
|
1
|
1674
|
Title | Kudos | Posted |
---|---|---|
1 | 05-14-2024 11:27 AM | |
2 | 02-29-2024 06:01 PM | |
6 | 02-29-2024 04:23 PM | |
1 | 01-26-2024 11:59 AM | |
3 | 12-15-2023 10:41 AM |
Online Status |
Offline
|
Date Last Visited |
3 weeks ago
|