A critical vulnerability in the Portal for ArcGIS component of ArcGIS Enterprise has been discovered, where an ordinary authenticated user can elevate themselves to be administrators of the portal once a set of special steps is taken by that authenticated user. Portal for ArcGIS 10.3 and higher users are impacted.
As this is a critical vulnerability and the exploit not in yet in the wild, we strongly encourage everyone to apply this patch within the next two weeks to minimize risk. If you are not using the latest version of a release, such as 10.5, we have provided a patch for those versions, but recommend moving to at least the latest version of the release such as 10.5.1 so that you can apply the cumulative security patch incorporating all of the available security patches for the product version.The cumulative and non-cumulative security patches are available here:
Portal for ArcGIS Security 2018 Update 3 Patch is available for versions 10.6.1, 10.5.1, 10.4.1, and 10.3.1 and is a cumulative security patch for all issues available for the Portal version.
Portal for ArcGIS Privilege Escalation Security Patch is available for versions 10.6, 10.5, 10.4, and 10.3 and is non-cumulative This patch only includes a fix for this specific issue.
A support summary of the issue is availablehere.
Esri Software Security & Privacy Team