Açıklama
ArcGIS Enterprise kullanıcıları için geçtiğimiz günlerde Esri tarafından bir güvenlik güncellemesi yayınlanmıştır. Esri; ArcGIS Enterprise 10.9, 10.8.1, 10.8, 10.7.1, 10.6.1 ve 10.6 kullanan tüm kullanıcıların portallarına bu yamayı uygulamasını önermektedir. Yayınlanan bu yama, toplu bir güncellemedir ve daha önce yayınlanmış olan birkaç yamayı da bünyesinde barındırmaktadır.
“Portal for ArcGIS Security 2021 Update 1 Patch” güncellemesi, yüklenmesi gerekli bir güncellemedir. Gelecek zamanlarda yayınlanacak olan tüm yamalar, öncelikle “Portal for ArcGIS Security 2021 Update 1 Patch” güncellemesinin sistemde daha önceden yüklenmiş olmasını gerektirecektir. Windows işletim sistemi üzerinde bu yama uygulandıktan sonra kaldırılamaz. Windows Denetim Masası içerisindeki kaldırma yeteneği de devre dışı bırakılmıştır. Linux işletim sisteminde kaldırma işlemi engellenmez ancak bu yama, gelecek zamanlarda yayınlanacak yamalar için bir ön koşul olduğundan dolayı, kaldırılması önerilmez.
Mevcut iş akışınızın kesintiye uğramaması adına, bu güncellemeyi uygulamadan önce sisteminizin bir yedeğini almanız, olası bir sorun yaşamanız durumunda hızlı bir şekilde sisteminizi geri döndürmeniz açısından faydalı olacaktır. Lütfen bu yamayı uygulamadan önce ArcGIS Enterprise sisteminizdeki sunucu/sunucuların tam bir yedeğini aldığınızdan emin olunuz. Bu konuda kurumunuzun IT birimi ile de irtibata geçebilirsiniz.
SAML değişiklikleri hakkında önemli not: Bu güncelleme; oturum açmaya çalışırken hatalara neden olabilecek bazı SAML güncellemeleri sunar. ArcGIS Enterprise ortamınızda SAML kullanıyorsanız, hangi değişikliklere ihtiyaç duyabileceğiniz konusunda detaylı bilgi için lütfen AD FS için bu makaleye ve Shibboleth için bu makaleye bakın. SAML yapılandırmanızdaki uygulanması gereken bu değişiklikler, “Portal for ArcGIS Security 2021 Update 1 Patch” güncellemesini yüklemeden önce veya sonra yapılabilir.
Windows işletim sistemine sahip kullanıcılarımız “Portal for ArcGIS Security 2021 Update 1 Patch” güncellemesini indirmek için https://support.esri.com/en/download/7899#install bağlantısını kullanarak, sahip oldukları ArcGIS Enterprise versiyonuna ait kurulum dosyasına erişebilirler. Linux işletim sistemine sahip kullanıcılarımız da https://support.esri.com/en/download/7899#install-Unix bağlantısı üzerinden erişecekleri sayfadaki talimatları izleyebilirler. “Portal for ArcGIS Security 2021 Update 1 Patch” güncellemesi, sisteminizde bulunan tüm Portal for ArcGIS yüklü makinelere uygulanmalıdır.
“Portal for ArcGIS Security 2021 Update 1 Patch” yamasından önce yayınlanmış olan ve bu yama paketi içerisine dahil edilen önceki yamalar, artık yama bildirim aracında (patch notification tool) görünmeyecektir. Bu güncelleme paketi içerisinde bulunmayan bazı Portal for ArcGIS yamaları ise listelenmeye devam edecektir. Dolayısıyla listelenen bu yamaların ayrı olarak kurulmaları gerekmektedir. Gelecek zamanlarda yayınlanacak güncellemeler için düzenli aralıklarla https://support.esri.com adresini de ziyaret edebilirsiniz.
Bu yama ile çözülen sorunlar:
- BUG-000140596 – The full bar chart legend is not displayed in the Map Viewer for 10.8.1 map services. (10.8.1)
- BUG-000139216 – Privilege escalation vulnerability in Portal for ArcGIS
- BUG-000138525 – Reflected XSS vulnerability in Portal for ArcGIS
- BUG-000136493 – Stored Cross-Site Scripting issue in Portal for ArcGIS (10.8.1, 10.8, 10.7.1, 10.6.1, 10.6)
Bu yamanın 10.9 versiyonu ayrıca aşağıdaki konuları da içerir
- BUG-000139095 – Scheduled updates for shared pages in ArcGIS Insights fail to run causing tasks to remain in a scheduled state and eventually fail.
Bu yamanın 10.8.1 versiyonu ayrıca aşağıdaki konuları da içerir
- BUG-000139382 – Embedded Portal configurable apps fail to load on a browser with ‘Block third-party cookies’ enabled.
- BUG-000138825 – The Web Scene Viewer in ArcGIS Enterprise 10.8.1 does not honor the default values for the vertex count of an IntegratedMesh I3S 1.7 layer and fails to load the content.
- BUG-000137142 – When creating a new StoryMap app, an unnecessary HTTP 404 response is returned that can cause issues in some fire-walled environments.
- BUG-000136356 – The Filter widget in ArcGIS Web AppBuilder resets the ‘Ask for Value’ check box when two or more expressions are added.
- BUG-000136352 – Legend info in the Portal for ArcGIS 10.8.1 Map Viewer misses the histogram chart for a published map service with a bar chart symbol.
- BUG-000136041 – ArcGIS Enterprise portal members with custom roles should be able to delete their own services when the role includes administrative privileges such as ‘View all members’ and publisher privileges.
- BUG-000135044 – Block custom roles with the admin update privilege from updating the password of default.
- BUG-000134926 – Unvalidated redirect issue in the ArcGIS Enterprise portal sign in page.
- BUG-000134458 – In some environments, the standby portal does not rejoin successfully.
- BUG-000134077 – The OAuth Authorization code granted with Proof Key for Code Exchange (PKCE) fails in ArcGIS Enterprise 10.8.1
- BUG-000134014 – XSS filter encodes valid HTML tags that were supported in earlier releases.
- BUG-000133143 – Unable to configure email settings for ArcGIS Enterprise if fromEmailAddress parameter contains a hyphen in the domain section of the address (e.g. test@esri-1.com).
- BUG-000133077 – Firefly, Government, Public Safety symbol sets owned by esri_en are not shared with Esri Symbols Group.
- BUG-000131991 – Reflected cross-site scripting (XSS) in the home application.
- BUG-000131701 – Configurable parameters are not saved in ArcGIS Online and ArcGIS Enterprise.
Bu yamanın 10.8 versiyonu ayrıca aşağıdaki konuları da içerir
- BUG-000132747 – Changing the symbology style for a map image layer through Portal for ArcGIS map viewer causes the date field to disappear from the fields list in the Filter option.
- BUG-000128084 – A distributed collaboration participant is unable to import items created in ArcGIS Insights, such as workbooks, pages, and models, using ArcGIS Online or ArcGIS Enterprise 10.8.
Bu yamanın 10.7.1 versiyonu ayrıca aşağıdaki konuları da içerir
- BUG-000139021 – In a web application created using Web AppBuilder, unable to query related table from Query Widget.
- BUG-000134926 – Unvalidated redirect issue in the ArcGIS Enterprise portal sign in page.
- BUG-000133255 – Portal for ArcGIS system properties are not properly encrypted.
- BUG-000132449 – Portal proxy does not fully honor allowedProxyHosts parameter.
- BUG-000132379 – The image display settings configured for an imagery layer in ArcGIS Enterprise are not saved.
- BUG-000132362 – The webgisdr utility should be updated to expect the response from Portal for ArcGIS’s exportSite operation when items are missing from the items directory.
- BUG-000132361 – When the Portal for ArcGIS service is shutting down, there’s a chance that internal processes can become orphaned.
- BUG-000132359 – Unable to make proxy requests to an external url after applying the PFA Security 2020 Update 1 Patch.
- BUG-000132357 – Reflected XSS vulnerability in Portal for ArcGIS.
- BUG-000132356 – Reflected XSS vulnerability in Portal for ArcGIS.
- BUG-000132353 – XXE and SSRF vulnerability in Portal for ArcGIS.
- BUG-000132351 – Uncontrolled resource exhaustion issue in Portal for ArcGIS.
- BUG-000132292 – When Portal for ArcGIS is highly available, if the original portal machine that was installed first is shutdown, index operations will fail.
- BUG-000131521 – Only 10 layers downloaded using Screening widget ‘Download’ function in Chrome and Edge.
- BUG-000129924 – Portal for ArcGIS 10.7.1 High Availability Licensing Patch is preventing the Edit widget from editing the related tables
- BUG-000129821 – After installing the Portal for ArcGIS 10.7.1 High Availability Licensing Patch, the Portal Home Application, or components of it such as the App Switcher, may hang or fail to load after simultaneous requests are made for Integrated Windows Authentication (IWA) users.
- BUG-000129710 – Portal for ArcGIS has an XML external entity (XXE) vulnerability.
- BUG-000128938 – Analysis Derive New Locations fails to run in the Analysis widget.
- BUG-000128634 – Unable to create a backup of the portal if an item is missing from the content directory
- BUG-000128486 – After sharing a map from ArcGIS Pro with two layers as referenced and editable, users are unable to open the Smart Editor widget from the pop-up because the Options button is disabled.
- BUG-000128438 – Unable to save the query widget results from Web AppBuilder for ArcGIS when Portal for ArcGIS is configured with Public Key Infrastructure (PKI) or Integrated Windows Authentication (IWA).
- BUG-000128193 – Cross-site request forgery (CSRF) vulnerability in Portal for ArcGIS.
- BUG-000128134 – Exporting a CSV file from the Query widget in Portal for ArcGIS exports coded values rather than the descriptions.
- BUG-000128058 – Portal for ArcGIS has a Server Side Request Forgery (SSRF) security vulnerability.
- BUG-000128038 – Delay in Portal for ArcGIS permitting access to secured content within a group for new Enterprise members who login using Integrated Windows Authentication (IWA).
- BUG-000127934 – Attributes are not shown completely in pop-up window when an image service with a raster function template to symbolize the data is published to ArcGIS Server, and added to Portal Scene Viewer.
- BUG-000127472 – Stored XSS in Web AppBuilder.
- BUG-000126709 – When an image service with raster function template to symbolize data is published to ArcGIS Server and added to Portal Map Viewer, attributes are not shown completely in pop-up window.
- BUG-000126332 – Token is removed from cookie when Integrated Windows Authenticated users click the Scene tab in a Portal that has disabled anonymous access.
- BUG-000126259 – Feature server layers do not consistently appear in the drop-down list of possible layers to perform analysis in Portal for ArcGIS.
- BUG-000126198 – Primary & Standby Portals are no longer accessible after pg_hba.conf entries get commented out.
- BUG-000126166 – Failover in a highly available portal will result in “Failed to get current license information. This connection has been closed” errors in the logs.
- BUG-000126009 – When using the Attribute Table widget in the Web AppBuilder for ArcGIS to select many attributes in the table, only 150 attributes are selectable.
- BUG-000125961 – In Portal for ArcGIS 10.7.1, if a layer has related records and a copy is created, the related records do not appear in pop-ups for the copied layer.
- BUG-000125434 – A geoprocessing service with the GPDataFile input type does not provide the option to upload a file in the Web AppBuilder for ArcGIS geoprocessing widget in Portal for ArcGIS 10.7.1.
- BUG-000125332 – Unable to set the role of ArcGIS Server to federated server with restricted publishing in ArcGIS Enterprise deployment.
- BUG-000125033 – Users signed in through Integrated Windows Authentication (IWA) cannot search for layers under My Organization in Map Viewer.
- BUG-000124953 – Portal for ArcGIS application information exposure.
- BUG-000124785 – After failover, if an incremental backup is requested but a full hasn’t been run, run a full backup instead of incremental
- BUG-000124739 – The Smart Editor option is unavailable in the Web AppBuilder for ArcGIS pop-up, if the layer is shared from ArcGIS Pro as a reference and is editable in the web map.
- BUG-000124317 – Improper server side validation of uploaded file types.
- BUG-000124011 – Web AppBuilder for ArcGIS in Portal for ArcGIS does not display results when clicking ‘Show more results’ in the Search widget.
- BUG-000123692 – Stored XSS in Portal for ArcGIS Map Viewer.
- BUG-000123690 – Reflected cross-site scripting (XSS) in the Portal for ArcGIS home application. CVSS 3.0 Base Score: 5.4 – CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
- BUG-000123331 – The Attribute Table widget does not show related records consistently.
- BUG-000123137 – Database transaction logs are retained on standby when running the DR tool.
- BUG-000122662 – Include the userinfo folder during a backup .
- BUG-000122011 – Unable to disable the My Location widget in ArcGIS Online Web AppBuilder for ArcGIS if the ‘Watch for location changes’ option is checked.
- BUG-000121820 – Multiple Query widgets in the same Web AppBuilder for ArcGIS app do not work.
- BUG-000119150 – When a field contains a Range Domain, values do not appear in the Attribute Table widget in Web App Builder
- BUG-000117333 – The promote.dat file in the primary and standby portals causes constant creation of db snapshots in the standby arcgisportal folder.
- BUG-000116557 – The selected features do not honor the Attribute Table widget filter in Portal for ArcGIS 10.7.1 Web AppBuilder.
- BUG-000116405 – Portal for ArcGIS export site operation fails if the content directory path syntax utilizes forward slashes instead of back slashes.
- BUG-000116343 – In Web AppBuilder for ArcGIS, the Group Filter widget pane is cut off when the German-Deutsch language is set in the ArcGIS Online account.
- BUG-000116089 – The Web AppBuilder for ArcGIS Query widget filter expression is configured to only show ‘Values filtered by previous expressions’ lists all unique values instead of a filtered set when the previous expression is configured from the Group Filter widget.
- ENH-000123305 – Include relationship name along with table name to better distinguish different relationships on the same table.
Bu yamanın 10.6.1 versiyonu ayrıca aşağıdaki konuları da içerir
- BUG-000136840 – SSRF vulnerability in Portal for ArcGIS.
- BUG-000133255 – Portal for ArcGIS system properties are not properly encrypted.
- BUG-000132452 – Reflected XSS in Portal for ArcGIS Home app.
- BUG-000132449 – Portal proxy does not fully honor allowedProxyHosts parameter.
- BUG-000132362 – The webgisdr utility should be updated to expect the response from Portal for ArcGIS’s exportSite operation when items are missing from the items directory.
- BUG-000132359 – Unable to make proxy requests to an external url after applying the Portal for ArcGIS Security 2020 Update 1 Patch.
- BUG-000132357 – Reflected XSS vulnerability in Portal for ArcGIS.
- BUG-000132356 – Reflected XSS vulnerability in Portal for ArcGIS.
- BUG-000132353 – XXE and SSRF vulnerability in Portal for ArcGIS.
- BUG-000132351 – Uncontrolled resource exhaustion issue in Portal for ArcGIS.
- BUG-000132292 – When Portal for ArcGIS is highly available, if the original portal machine that was installed first is shutdown, index operations will fail.
- BUG-000129710 – Portal for ArcGIS has an XML external entity (XXE) vulnerability.
- BUG-000128634 – Unable to create a backup of the portal if an item is missing from the content directory
- BUG-000128193 – Cross-site request forgery (CSRF) vulnerability in Portal for ArcGIS.
- BUG-000128058 – Portal for ArcGIS has a Server Side Request Forgery (SSRF) security vulnerability.
- BUG-000127472 – Stored XSS in Web AppBuilder.
- BUG-000127276 – When accessing a secured service from a federated Server through Map Viewer or Web AppBuilder in Portal for ArcGIS 10.6.1 using IWA, the service token fails to regenerate automatically and causes the service to become blank when the token expires.
- BUG-000126198 – Primary & Standby Portals are no longer accessible after pg_hba.conf entries get commented out.
- BUG-000124953 – Portal for ArcGIS application information exposure
- BUG-000124785 – After failover, if an incremental backup is requested but a full hasn’t been run, run a full backup instead of incremental
- BUG-000124382 – After allowing Google Chrome to save your account details, the ‘Add Item’ > ‘From the web’ option displays the error ‘The service type is not valid’.
- BUG-000123692 – Stored XSS in Portal for ArcGIS Map Viewer.
- BUG-000123690 – Reflected cross-site scripting (XSS) in the Portal for ArcGIS home application. CVSS 3.0 Base Score: 5.4 – CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
- BUG-000123331 – The Attribute Table widget does not show related records consistently.
- BUG-000123137 – Database transaction logs are retained on standby when running the DR tool.
- BUG-000123043 – Decrease the number of JavaScript files loaded when printing in the Portal map viewer.
- BUG-000122662 – Include the userinfo folder during a backup .
- BUG-000121732 – The custom basemap does not appear in the Web AppBuilder for ArcGIS Basemap widget although the group is set as the default in the Edit settings under Organization.
- BUG-000121145 – Portal proxy does not fully validate allowedProxyHosts parameter.
- BUG-000120392 – Smart Editor Widget Fails to Set Attribute Action Expressions in Portal for ArcGIS 10.6.1.
- BUG-000120333 – Reflected cross-site scripting (XSS) in the Portal for ArcGIS home application.
- BUG-000120300 – A publicly shared scene view prompts for authentication after 10 minutes of inactivity when using a scene service published to ArcGIS Enterprise 10.7 portal prerelease.
- BUG-000120061 – Related data points to the same feature in Web AppBuilder for ArcGIS for Portal for ArcGIS when there are multiple relationships to the same feature class.
- BUG-000119891 – Portal for ArcGIS profiles allow HTML injection (Only in 10.6.1, 10.5.1 and 10.4.1). CVSS 3.0 Base Score: 3.5 – CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
- BUG-000117926 – Unable to synchronize collaboration workspaces when the guest participant’s content directory uses a Cloud Store.
- BUG-000117564 – Privilege escalation vulnerability
- BUG-000117369 – Reflected cross-site scripting (XSS) in item URL
- BUG-000117367 – Un-validated redirect in Portal for ArcGIS
- BUG-000117333 – The promote.dat file in the primary and standby portals causes constant creation of db snapshots in the standby arcgisportal folder.
- BUG-000116870 – Unable to share Insights Workbooks, Pages and Model items to Everyone.
- BUG-000116734 – The Attribute Table widget selections are not consistently honored by the Edit widget.
- BUG-000116687 – Temporal filters created from tool parameters in Portal for ArcGIS Map Viewer are incorrectly formatted and cause tool failures.
- BUG-000116405 – Portal for ArcGIS export site operation fails if the content directory path syntax utilizes forward slashes instead of back slashes.
- BUG-000116195 – Panning and zooming in the web maps on a touch screen device does not work in Google Chrome 68.x.
- BUG-000115964 – The App Launcher becomes unavailable after the external content is disabled.
- BUG-000115859 – When selecting line or polygon features for layers with pop-ups enabled, the selection symbology does not match the actual feature geometry.
- BUG-000114004 – The Show Related Records option in the Attribute Table widget returns no records in the related table.
- BUG-000112707 – Reflected cross-site scripting (XSS) in Portal for ArcGIS Home application.
- BUG-000112342 – The webgisdr incremental restore fails when Geo Analytics Server is federated and registered with Portal as the Geo Analytics Server.
- ENH-000123305 – Include relationship name along with table name to better distinguish different relationships on the same table.
- ENH-000116621 – Add the ability to modify the maximum token expiration time of tokens generated to login to Portal for ArcGIS when using IDP-initiated logins.
Bu yamanın 10.6 versiyonu ayrıca aşağıdaki konuları da içerir
- BUG-000130954 – When attribute filters are applied to the Attribute Table widget in the Web AppBuilder for ArcGIS Enterprise Portal, and a large number of records are in the filtered results, the CSV export does not honor the filters.
- BUG-000130067 – An infinite number of requests are generated when viewing the attribute of a service with around one million features in ArcGIS Web AppBuilder.
- BUG-000128058 – Portal for ArcGIS has a Server Side Request Forgery (SSRF) security vulnerability.
- BUG-000123523 – The Attribute Table widget in ArcGIS Online does not display the ongoing process of loading features when the ‘Filter by map extent’ option is deselected.
- BUG-000121222 – The Attribute widget in Web AppBuilder for ArcGIS does not return consistent records when exporting attribute to CSV for a feature layer with large records (millions) in Portal for ArcGIS.
- BUG-000121145 – Portal proxy does not fully validate allowedProxyHosts parameter.
- BUG-000117564 – Privilege escalation vulnerability.
- BUG-000114738 – Internet Explorer 11 does not properly encode spaces in certain Portal request URLs, which causes the request to fail in Portal Linux 10.6
- BUG-000109526 – The ‘Filter’ widget in WebApp Builder for ArcGIS does not honor the layer’s date format setting.
- ENH-000116621 – Add the ability to modify the maximum token expiration time of tokens generated to login to Portal for ArcGIS when using IDP-initiated logins.
Faydalı Bağlantılar
- https://support.esri.com/en/download/7899
- Portal for ArcGIS Security 2021 Update 1 Patch
- Error: Unable to log in using IDP. ‘NAME_ID’ not found in SAML response for AD FS
- Error: Unable to log in using IDP. Invalid subject found in SAML response for Shibboleth
- Check for and install software patches and updates