topic Re: ArcGIS Enterprise Log4j Vulnerability (CVE-2021-44228) Patch or Mitigation? in ArcGIS Enterprise Questions

ArcGIS Enterprise Log4j Vulnerability (CVE-2021-44228) Patch or Mitigation?

Carl_Flint — Wed, 15 Dec 2021 18:44:45 GMT

Good afternoon, is there any patches in the works or potential mitigation steps for the latest java log4j vulnerability (CVE-2021-44228)? I know that GeoEvent server uses log4j and can assume some other enterprise server's or portal potentially do as well. Any help would be appreciated in resolving this zero-day.

Thanks,

Re: ArcGIS Enterprise Log4j Vulnerability (CVE-2021-44228) Patch or Mitigation?

IngaPlayle1 — Sat, 11 Dec 2021 21:16:37 GMT

I'm also waiting to hear any news from ESRI about this.

Re: ArcGIS Enterprise Log4j Vulnerability (CVE-2021-44228) Patch or Mitigation?

JoshuaBixby — Sat, 11 Dec 2021 21:31:01 GMT

A quick filesystem search on a stand-alone ArcGIS Server installation shows numerous components using log4j. This won't just be about patching a file, but lots of files involving multiple components of multiple products. A not-so-happy holidays for Esri dev teams.

Re: ArcGIS Enterprise Log4j Vulnerability (CVE-2021-44228) Patch or Mitigation?

AndresEcheverri — Sun, 12 Dec 2021 01:01:10 GMT

Really interested on this topic too.

Re: ArcGIS Enterprise Log4j Vulnerability (CVE-2021-44228) Patch or Mitigation?

JohnBrockwell — Sun, 12 Dec 2021 01:34:49 GMT

I found it here on my Portal for ArcGIS server:

E:\arcgisportal\upgrade-backup\10.5.1\dsdata\elasticsearch_2.3.2\lib

File Name:

apache-log4j-extras-1.2.17.jar

The file is located in a 10.5.1 backup folder. I am currently running 10.8.1. Does it matter?

Re: ArcGIS Enterprise Log4j Vulnerability (CVE-2021-44228) Patch or Mitigation?

OmerBen-Asher — Sun, 12 Dec 2021 07:31:13 GMT

also interested

Re: ArcGIS Enterprise Log4j Vulnerability (CVE-2021-44228) Patch or Mitigation?

Scott_Tansley — Sun, 12 Dec 2021 09:29:41 GMT

Following. Thanks for raising.

Re: ArcGIS Enterprise Log4j Vulnerability (CVE-2021-44228) Patch or Mitigation?

MarkusRuottinen — Sun, 12 Dec 2021 11:05:26 GMT

Also following.

Re: ArcGIS Enterprise Log4j Vulnerability (CVE-2021-44228) Patch or Mitigation?

Kai_Ole_Rogge_Allianz — Sun, 12 Dec 2021 11:10:28 GMT

ArcGIS Enterprise base deployment shows more then 50 affected .jar files (Esri and 3rd party like Elasticsearch).

Looking forward to any updates/patches/support.

Cheers
Kai

Re: ArcGIS Enterprise Log4j Vulnerability (CVE-2021-44228) Patch or Mitigation?

MarkusRuottinen — Sun, 12 Dec 2021 12:02:21 GMT

Do you know is it possible to set environment variables which ArcGIS Server uses in windows server.?

I ask this because https://logging.apache.org/log4j/2.x/security.html says: "Mitigation: In releases >=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. "

I just ask, I don't know is this correct solution.

Markus

Re: ArcGIS Enterprise Log4j Vulnerability (CVE-2021-44228) Patch or Mitigation?

Swani_Jesus_Captonsiluvairajan — Sun, 12 Dec 2021 14:17:56 GMT

Do we have any updates on this? Do we have to shutdown the portal and server services as a precaution?

Re: ArcGIS Enterprise Log4j Vulnerability (CVE-2021-44228) Patch or Mitigation?

RandallWilliams — Sun, 12 Dec 2021 19:40:35 GMT

Our current statement is available on https://trust.arcgis.com. Look for more updates as this issue evolves.

Re: ArcGIS Enterprise Log4j Vulnerability (CVE-2021-44228) Patch or Mitigation?

PhilipOrlando — Sun, 12 Dec 2021 21:11:20 GMT

Following.

Re: ArcGIS Enterprise Log4j Vulnerability (CVE-2021-44228) Patch or Mitigation?

Anonymous User — Mon, 13 Dec 2021 06:27:40 GMT

we use some older installs of ArcGIS Server (10.3.1 and 10.6.1). Scanning the install for log4j shows only older versions of log4j under C:\Program Files\ArcGIS\Server\framework dated 2005 and with version 1.2.12 in the manifest. I could not find any reference to the class or function names cited in the CVE-2021-44228 advisory. My initial thought is that these versions of ArcGIS Server do not use log4j v2 and may not be vulnerable as a result.

I used this command from CMD using the Java SDK utility jar.exe to list the Java classes :

C:\Program Files\ArcGIS\Server\framework>forfiles /S /M *.jar /C "cmd /c jar -tvf @file | findstr /C:"log4j" && echo @path" > C:\Temp\log4j_info.txt

(see https://www.windows-commandline.com/search-classes-in-jar-file/)

Unzipping a copy of a Jar file (rename & unzip) shows the version in the manifest.mf file

Regards

John

Re: ArcGIS Enterprise Log4j Vulnerability (CVE-2021-44228) Patch or Mitigation?

GianniCampanile2 — Mon, 13 Dec 2021 11:18:29 GMT

Hi Randall,

the statement does not make clear a couple of important points:

- does 10.9.1 version definitevely solves the problem ?

- is the problem only for ArcGIS Enterprise JAVA version or also for .Net one ?

Thanks

Gianni

Re: ArcGIS Enterprise Log4j Vulnerability (CVE-2021-44228) Patch or Mitigation?

AdrianMarsden — Mon, 13 Dec 2021 12:50:43 GMT

looking at my servers, some have log4j 2.x, some don't - I realize it is still early on this, but an exact matrix of what does and doens't have this would be really useful.

Re: ArcGIS Enterprise Log4j Vulnerability (CVE-2021-44228) Patch or Mitigation?

SPisOs — Mon, 13 Dec 2021 13:29:12 GMT

I am on ArcGIS Server 10.6.1

I have found this Jar, which I think is affected :

"C:\Program Files\ArcGIS\Server\framework\lib\shared\log4j-core-2.8.2.jar"

Following the suggestions from

https://blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2021-44228/

I am going to delete from that Jar:

org/apache/logging/log4j/core/lookup/JndiLookup.class

I am also going to add the System environment variable

LOG4J_FORMAT_MSG_NO_LOOKUPS=true

Then reboot

Question: Are there any other Jars to fix or reconfigure?

Re: ArcGIS Enterprise Log4j Vulnerability (CVE-2021-44228) Patch or Mitigation?

AdrianMarsden — Mon, 13 Dec 2021 13:53:44 GMT

the blog says "mitigated" with 10.9 - "to make (something) less severe, harmful, or painful. "

Re: ArcGIS Enterprise Log4j Vulnerability (CVE-2021-44228) Patch or Mitigation?

SreehariGomasani — Mon, 13 Dec 2021 14:03:01 GMT

How do I check the Log4j Vulnerability to my current system? As I am currently using ESRI Enterprise 10.4

Re: ArcGIS Enterprise Log4j Vulnerability (CVE-2021-44228) Patch or Mitigation?

GianniCampanile2 — Mon, 13 Dec 2021 14:08:43 GMT

Hi Adrian,

the mitigation statement is for 10.8.1 version, while regarding 10.9 it says "We recommend updating to the latest version of 10.9.1 for the strongest security posture" and I can't figure out if it's a solution or just a generic recommendation.

Gianni