Microsoft Asp.net Core Multiple Security Vulnerabilities For March 2018

[Hasan Fogg]

March21, 2024: A new setup for the ArcGIS Enterprise 10.8.1 Windows version of the Portal for ArcGIS Enterprise Sites Security Patch is now available. This new setup addresses an issue related to a defective patch installation on Windows, as described in BUG-000161711. Before installing this new patch, first run the Portal for ArcGIS Validation and Repair tool. The tool will validate your ArcGIS Enterprise deployment and determine if the defective patch is installed. If the defective patch is detected, you will be directed to use the tool to repair your deployment before you can install Portal for ArcGIS patches released as of December 2023.

The new setup, which replaces the defective patch, is named Portal for ArcGIS Enterprise Sites Security Patch. Note that the patch, when shown as available in the ArcGIS Enterprise Patch Notification tool, is listed as Portal for ArcGIS Enterprise Sites Security Patch (without the B suffix) with a release date of March 21, 2024; once installed, it is listed as Portal for ArcGIS Enterprise Sites Security Patch B.

Esri announces the Portal for ArcGIS Validation and Repair tool. The Portal for ArcGIS Validation and Repair tool must be run on all 11.1, 10.9.1 and 10.8.1 machines with Portal for ArcGIS installed. The Portal for ArcGIS Validation and Repair tool is specifically for deployments on Windows.

The tool will validate your deployment and determine if the defective Portal for ArcGIS Enterprise Sites Security Patch is installed. If the defective patch is detected, you will be directed to use the tool to repair the deployment. The repair will remove the defective patch and all other Portal for ArcGIS patches on the deployment. After completing the repair, Portal for ArcGIS patches will need to be reapplied either through the ArcGIS Enterprise Patch Notification tool or by downloading patches available from Esri.

Esri recommends scheduling the repair, as well as the reinstallation of patches, during a planned maintenance timeframe. This is because the Enterprise portal will be inaccessible while the repair and patch reinstallation take place, which can be for several hours. The time needed for repair depends on the number of patches installed as well as hardware and machine resources. Note that repair time will be significantly longer for Portal for ArcGIS Enterprise 10.8.1 deployments than other versions. The Portal for ArcGIS Validation and Repair tool reports a progress status as each patch is removed. If the tool must be terminated during the repair, it is possible to re-run the tool and resume the repair, but only after the machine has been restarted. The tool creates a log file and details on how to use the log are found in the Additional details section.

All Portal for ArcGIS patches released as of December 2023 will have a prerequisite requiring that the Portal for ArcGIS Validation and Repair tool is run successfully. Only following the successful validation of a deployment will it be possible to install new Portal for ArcGIS patches. Therefore, you will need to run the Portal for ArcGIS Validation and Repair tool prior to installing any Portal for ArcGIS patches released as of December 2023.

March 21, 2024: A new setup is now available for the Portal for ArcGIS 10.9.1 Validation and Repair tool. This new version of the tool includes resolutions for a possible upgrade failure and issues running the tool with no available disk space. This version also enhances tool resiliency when it is terminated during a repair and provides more informative logging. There is no need to run this new tool if you already used the previous version of the tool to successfully validate your Enterprise portal.

The new setup replaces the previous Portal for ArcGIS 10.9.1 Validation and Repair tool. When shown as available in the ArcGIS Enterprise Patch Notification tool, it is listed as Portal for ArcGIS 10.9.1 Validation and Repair (without the B suffix) with a release date of March 21, 2024; once installed, it is listed as Portal for ArcGIS Validation and Repair B. Note that the B version of the tool will run overtop of the previous version; there is no need to uninstall the previous version prior to running the new setup.

The 11.1 version of this patch has been rereleased. Patches for previous versions are forthcoming. We have updated this advisory to provide guidance for those users who have not yet installed any version of the Portal for ArcGIS Enterprise Sites Security Patch and require interim mitigations to address the vulnerabilities fixed by those patches.

Important note December 12, 2023: A new setup for the ArcGIS Enterprise 11.1 Windows version of the Portal for ArcGIS Enterprise Sites Security Patch is now available here. This new setup addresses an issue related to a defective patch installation on Windows, as described in BUG-000163367. Before installing this new patch, first run the Portal for ArcGIS Validation and Repair tool. The tool will validate your ArcGIS Enterprise deployment and determine if any defective patches are installed. If defective patches are detected, you will be directed to use the tool to repair your deployment before you can install Portal for ArcGIS patches released as of December 2023. Windows 10.9.1 and 10.8.1 versions of this patch will be released at a future date.

Important note October 12, 2023: The download of this patch has been temporarily disabled while a problem with the install of this patch is investigated. Specific to the 11.1 version of this patch, installing the Portal for ArcGIS Enterprise Sites Security Patch into version 11.1 highly available Portal for ArcGIS environments will result in failures because a user configured file is not properly restored. An uninstall of the Portal for ArcGIS 11.1 Enterprise Sites Security Patch does not resolve the failures. A corrected version of this patch will be available soon. For those who have already installed this patch and encountered failures in a highly available environment, please refer to this Esri Technical Article for help.

Original Text: This patch contains fixes for one high security issue and multiple medium priority security issues. Esri highly recommends customers using Portal for ArcGIS 11.1 through 10.8.1 to install this patch. Users at version 10.7.1 should upgrade to 10.9.1 or 11.1 and install this patch. ArcGIS 10.7.1 is in mature support status and no longer receives patches. Users working with ArcGIS Enterprise 10.7.1 and below are encouraged to upgrade to versions 11.1 (preferred), 10.9.1 or 10.8.1 and install available security patches.

We provide Common Vulnerability Scoring System v.3.1 (CVSS) scores to allow our customers to better assess risk of these vulnerabilities to their operations. Both base and modified temporal scores are provided to reflect the availability of an official patch.

LinkedIn and 3rd parties use essential and non-essential cookies to provide, secure, analyze and improve our Services, and to show you relevant ads (including professional and job ads) on and off LinkedIn. Learn more in our Cookie Policy.

Google has issued a cautionary alert regarding a development involving multiple threat actors. They have identified a public proof-of-concept exploit named Google Calendar RAT (GCR), utilizing the Google Calendar service for command-and-control operations through a Gmail account. This exploit, developed by Valerio Alessandroni (known online as MrSaighnal), establishes a 'Covert Channel' by manipulating event descriptions in Google Calendar.

Despite being published on GitHub in June 2023, Google reports no observed use of the tool in the wild. However, their Mandiant threat intelligence unit has noted several threat actors sharing this exploit on underground forums. GCR, when running on a compromised system, intermittently checks the Calendar event descriptions for new commands, executes these commands on the targeted device, and then updates the event description with the command output. What's particularly concerning is its utilization of legitimate infrastructure, which significantly complicates the detection of suspicious activities for defenders, as highlighted by Google in their eighth Threat Horizons report.

Security experts have identified a new trend involving the misuse of Google Forms' "Release scores" feature by cybercriminals orchestrating crypto-related spam and scams. These malicious actors manipulate this functionality to craft fraudulent emails urging recipients to invest in cryptocurrency or divulge personal information.

Cisco Talos has highlighted how spammers abuse Google Forms by generating quizzes and utilizing any available email address to complete these forms. Upon submission, these spammers gain access to responses and activate the "Release scores" feature within Google Forms. This allows them to send tailored email communications using the sender's Google account address. Leveraging Google's servers for transmission potentially heightens the likelihood of these deceptive messages reaching victims' inboxes.

This emerges shortly after Google's prior advisory regarding threat actors exploiting its Calendar service to establish command-and-control infrastructure. This manipulation involved the use of a tool known as Google Calendar RAT, initially introduced on GitHub in June. This tool empowered attackers to exploit event descriptions within Google Calendar, establishing a concealed communication channel.

VMware Carbon Black researchers have unearthed renewed waves of Jupyter Infostealer attacks, leveraging refined PowerShell command adjustments and the inclusion of private key signatures. These alterations seek to cloak the malware as a legitimately signed file, thereby complicating its detection.

Previously recognized as Polazert, SolarMarker, and Yellow Cockatoo, the Jupyter Infostealer has a history of exploiting manipulated search engine optimization (SEO) strategies and malvertising tactics. These methods serve as initial access vectors, enticing unsuspecting users searching for popular software to download it from questionable websites.

3a8082e126