Community

ArcGIS Enterprise Security Patch Dec 2023

1711
15
12-14-2023 07:07 AM
ThomasHoman
by
Occasional Contributor III
‎12-14-2023 07:07 AM

Hi,

On the Dec 8 2023 Enterprise Security patch notice ( https://support.esri.com/en-us/patches-updates/2023/defective-arcgis-enterprise-patch  ) there is very little actual detail beyond 'please wait for us/do nothing to get a fix in place' What is the actual problem so we can monitor for aberrant activity?

Is there a CVE generated for this event that provides additional details so I can log it with my IT department?

Tom

15 Replies
RyanUthoff
by
Occasional Contributor III
‎12-14-2023 08:14 AM

I just received notice of this yesterday and have this defective patch installed. Per the email that was sent out, it said the patch defect can have "serious consequences", yet doesn't specify what the "serious consequences" are. As the server administrator, I need to know what these consequences are so I can monitor for aberrant behavior like the original poster mentioned. 

Edit: I realize that even if we knew what the consequences are, we might not be able to do much about it until Esri releases the fix. But at least I'd be able to immediately pinpoint the problem instead of spending hours trying to find it myself, reaching out to support, etc. We have hundreds of users that depend on Portal being up and running so it is vital that we are kept aware of these sorts of things and know what kind of behavior to expect from defective patches.

RandallWilliams
by Esri Regular Contributor
Esri Regular Contributor
‎12-14-2023 09:53 AM

Hi James, Hi Ryan,

The ArcGIS Enterprise 11.1 version of this patch AND the required ArcGIS Validation and Repair tool are available. We describe the defect the original Portal for ArcGIS Enterprise Sites Security Patch introduced and also provide the download location here:

https://support.esri.com/en-us/patches-updates/2023/defective-arcgis-enterprise-patch

We recently updated our Portal for ArcGIS Validation and Repair tool page here:

https://support.esri.com/en-us/patches-updates/2023/portal-for-arcgis-validation-and-repair

We also recently updated our security advisory , which found under the Advisories section of the ArcGIS Trust Center.

The specific CVEs addressed in the are documented in the advisory.

Linux users are unaffected by the issues introduced by the flawed patch. 

Users who have not yet installed the Portal for ArcGIS Enterprise Sites Security Patch can immediately remediate the security issues that this patch resolves with an upgrade to 11.2. 

All of the issues that the Portal for ArcGIS Enterprise Sites Security Patch addresses require the ability for a malicious user to manage an ArcGIS Enterprise Site.

Mitigation options include temporarily revoking user memberships from the Sites Core Group

 

RyanUthoff
by
Occasional Contributor III
‎12-14-2023 10:13 AM

Thank you for the link to the ArcGIS Trust Center. That gives me the information I was looking for. The technical support articles I've seen haven't included that link, so I wasn't aware it existed. And bug fixes in the corrected patch give the impression that the bug only exists in 11.1, even though the Portal for ArcGIS Validation and Repair tool is available for 10.8.1, 10.9.1, and 11.1. So overall, it's a little confusing to figure out what's going on but I appreciate your response.

JonEmch
by Esri Regular Contributor
Esri Regular Contributor
‎12-14-2023 11:03 AM

Hello Ryan,

   I can confirm that we have three separate issues so that we can track impact across different versions of ArcGIS Enterprise. We will be re-deploying the patch along with additional tooling for each affected version of ArcGIS Enterprise. More information to come!

Keep on keeping on!
0 Kudos
ThomasHoman
by
Occasional Contributor III
‎12-14-2023 06:24 PM

Agreed. I had never heard of the trust portal as well.

Thanks you very much for the additional information.

0 Kudos
Pei-SanTsai
by
New Contributor III
‎12-15-2023 10:36 AM

Per Portal for ArcGIS Enterprise Sites 2023 Security Patch (esri.com), "Customers working with versions prior to ArcGIS 11.1 who cannot patch at this time may mitigate all security issues addressed by the Portal for ArcGIS Enterprise Sites Security Patch.

Mitigation Options include:

Option 1: Upgrade your deployment to ArcGIS Enterprise 11.2 to completely remediate these vulnerabilities.

Option 2: Remove members from ArcGIS Enterprise Sites Core Team groups.

In either case, ArcGIS Enterprise sites will remain accessible."

Please correct me if I'm interpreting this statement incorrectly.  I'm using ArcGIS Enterprise 10.9.1 and have applied the patch back in June.  Mitigation is one of the options listed above, meaning that I can upgrade to 11.2 to resolve the issue?  I'm scheduled to upgrade our Dev Environment after the Christmas.  Was planning to do 11.1 but with this issue will be upgrading to 11.2.  Thank you!  

0 Kudos
RandallWilliams
by Esri Regular Contributor
Esri Regular Contributor
‎12-15-2023 10:41 AM

NO. DO NOT ATTEMPT TO UPGRADE OR INSTALL ANY PATCHES UNTIL THE 10.9.1 Validation and Repair tool IS AVAILABLE.

Upgrading is an option to remediate the Sites vulnerabilities IF and ONLY IF this faulty patch has not yet been installed. 

MarcoBoeringa
by MVP Regular Contributor
MVP Regular Contributor
‎12-14-2023 09:55 AM

I think the information you are looking for is on this page:

https://support.esri.com/en-us/patches-updates/2023/portal-for-arcgis-enterprise-sites-security-patc...

I agree the description is not the clearest, but if I interpret this well, the main point seems to be the potential failure of a high availability "standby machine", as described in the quote visible below, which could of course be pretty problematic if your main server goes down due to a problem. Note that this issue only affects Windows installs according to the text:

BUG-000160830 - Installing the 11.1 version of the Portal for ArcGIS Enterprise Sites Security Patch results in failures on the standby machine in highly available environments. (11.1 only)

I think the other bug numbers mentioned in the quote below, are actually the exact same issue, just with a different bug number for each version of ArcGIS Enterprise:

The defects that motivated the temporary disablement of the patches are BUG-000163367 (version 11.1), BUG-000160895 (version 10.9.1), and BUG-000161711 (version 10.8.1) and only impact Windows.

 

RandallWilliams
by Esri Regular Contributor
Esri Regular Contributor
‎12-14-2023 01:23 PM

To be clear, there are a few issues in play:

  1. We released a series of patches for ArcGIS Enterprise Sites to address a few cross site scripting issues. 
  2. While the patches fixed those issues, on Windows hosts, it introduced an issue that could result in system availability challenges if additional patches or upgrades were subsequently installed. 
    • This is what prompted us to pull that patch, and it took some time to develop a fix. This is an unprecedented issue for us, and required a major engineering effort to us to release the tool that fixes this problem.
  3. At the same time, we needed to produce a new patch for ArcGIS Enterprise Sites that wouldn't introduce this issue. 

 

0 Kudos