Latest Contributions by JohnGibson2

Hi Cort, I looked at Server at both 10.3.1 and 10.6.1 for this issue earlier. Most likely 10.5 has no installs of log4j v2 (which is where the current vulnerability lies). However it most likely has installs of log4j v1 which is now deprecated, and has bugs of it's own (but not as severe). So the supplied patch won't do anything for your 10.5 install. I can only suggest following ESRI's advice in the blog re upgrades etc. Of course upgrading is often easier said than done, depending on your resources. ... View more

Hi Brian, I initially found the same problem as you when running the script against a 10.8.1 Server install on Windows. As a workaround I first manually backed up the listed 5 .jar files into separate subdirs to ensure I saved the right ones. I then modified the Py script by commenting out #backup(jar_path) at line 56. I then reran the script using CMD as administrator & it worked fine. I was probably just missing some permissions on my admin account or something. Thanks to ESRI for pushing out this script so quickly. ... View more

Good point about 10.3.1, thanks Erik. ArcGIS Servers (v.10.3.1) use log4j v1.2.12 which is however vulnerable to some much older but lesser issues - see https://logging.apache.org/log4j/1.2/. This has a threat score CVSS of 7.5 and this threat has been around for many years. There is no fix. ... View more

The utility available at GitHub - logpresso/CVE-2021-44228-Scanner: Vulnerability scanner and mitigation patch for Log4j2 CVE-2021-44228 looks like a useful check. Using the utility on ArcGIS Server 10.3.1 (Server only, no extensions) on Windows Server lists no vulnerabilities. Using the utility on ArcGIS Server 10.6.1 (Server only, no extensions) on Windows Server lists the following issues : C:\Users\bloggsj>D:\Temp\Utilities\log4j2-scan.exe "C:\Program Files\ArcGIS" [*] Found CVE-2021-44228 vulnerability in C:\Program Files\ArcGIS\Server\framework\lib\shared\log4j-core-2.8.2.jar, log4j 2.8.2 [*] Found CVE-2021-44228 vulnerability in C:\Program Files\ArcGIS\Server\tools\configurebasedeployment\lib\log4j-core.jar, log4j 2.8.2 [*] Found CVE-2021-44228 vulnerability in C:\Program Files\ArcGIS\Server\tools\createsite\lib\log4j-core.jar, log4j 2.8.2 [*] Found CVE-2021-44228 vulnerability in C:\Program Files\ArcGIS\Server\tools\upgradebasedeployment\lib\log4j-core.jar, log4j 2.8.2 [*] Found CVE-2021-44228 vulnerability in C:\Program Files\ArcGIS\Server\tools\upgradeserver\lib\log4j-core.jar, log4j 2.8.2 Scanned 5264 directories and 45936 files Found 5 vulnerable files Completed in 22.24 seconds Regards John ... View more

Excellent article that has "saved my bacon" twice now. First time was after Windows patching, and the second after a random Windows Server crash. In both cases this was with Server 10.3.1 and the config.xml was corrupted. In the second case the log file had the following message : "SEVERE: Parse Fatal Error at line 1 column 1: Content is not allowed in prolog. org.xml.sax.SAXParseException; systemId: file:/C:/Program%20Files/ArcGIS/Server/framework/runtime/tomcat/conf/server.xml; lineNumber: 1; columnNumber: 1; Content is not allowed in prolog." In this case, both config.xml and web.xml in the same folder were corrupted and stuffed with NUL characters. Replacing these files from another server and reconfiguring config.xml as stated solved the problem. Restarting the ArcGIS Server service then restored the system ok. Thanks for posting this article! ... View more

Thanks to Matiss for solving this problem. A recent update of ArcGIS Online (June 2017) meant that an update was required in my code. I created a web app using Web App Builder in ArcGIS Online & exported code to a web server. I updated the file jimu.js\main.js as follows : immediately after the line : console.log("jimu.js init..."); I inserted the line : G.bundle.widgets.popup.NLS_noInfo = "<My popup message for no info>"; (No changes to the define list are now required) See also Default API Strings | Guide | ArcGIS API for JavaScript 3.20  for some background. ... View more