https://community.esri.com/t5/arcgis-enterprise-questions/log4j-cve-2021-45105/m-p/1128510#M32098 <P>Thank you. I saw that the blog article had an update today.&nbsp;</P><P><EM>from the blog ... "Initial Post 12/12/21 – Last Updated 12/22/21 – 10:30am PT"</EM></P><P>I saw that the guidance re: CVE-2021-45105 is still to implement a WAF. Hopefully other recommendations will be coming soon.&nbsp;</P><P>Thanks,</P><P>Joe</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 23 Dec 2021 00:02:58 GMT JoePlattner 2021-12-23T00:02:58Z https://community.esri.com/t5/arcgis-enterprise-questions/log4j-cve-2021-45105/m-p/1128127#M32082 <P>I've been asked to look into assisting with mitigating CVE-2021-45105 in our ARCGIS enterprise environment. Searching log4j, I did not find any other discussions relating to this specific CVE so I'm asking it here.</P><P>The python script only seems to address <SPAN>CVE-2021-44228 and CVE-2021-45046.</SPAN></P><P>Anyone else working on this, or have a solution?</P><P>The ESRI blog referencing this reccomends applying&nbsp;<SPAN>Web Application Firewall rules to mitigate this. ESRI tech support (even our premium support tier) is unable to advise or assist us with these firewall rules.</SPAN></P><P>So I've forwarded the Web Application Firewall doc included in the log4j blog post from ESRI&nbsp; to our network team, and while I'm waiting for them to get back to me, I thought I'd see if anyone else has done anything on this specific CVE.</P> Tue, 21 Dec 2021 20:21:06 GMT https://community.esri.com/t5/arcgis-enterprise-questions/log4j-cve-2021-45105/m-p/1128127#M32082 JoePlattner 2021-12-21T20:21:06Z https://community.esri.com/t5/arcgis-enterprise-questions/log4j-cve-2021-45105/m-p/1128371#M32091 <P>We are nearing our investigation regarding this issue and plan to update our Log4J statement later today to include information regarding CVE-2021-45105.</P> Wed, 22 Dec 2021 17:35:40 GMT https://community.esri.com/t5/arcgis-enterprise-questions/log4j-cve-2021-45105/m-p/1128371#M32091 RandallWilliams 2021-12-22T17:35:40Z https://community.esri.com/t5/arcgis-enterprise-questions/log4j-cve-2021-45105/m-p/1128510#M32098 <P>Thank you. I saw that the blog article had an update today.&nbsp;</P><P><EM>from the blog ... "Initial Post 12/12/21 – Last Updated 12/22/21 – 10:30am PT"</EM></P><P>I saw that the guidance re: CVE-2021-45105 is still to implement a WAF. Hopefully other recommendations will be coming soon.&nbsp;</P><P>Thanks,</P><P>Joe</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 23 Dec 2021 00:02:58 GMT https://community.esri.com/t5/arcgis-enterprise-questions/log4j-cve-2021-45105/m-p/1128510#M32098 JoePlattner 2021-12-23T00:02:58Z https://community.esri.com/t5/arcgis-enterprise-questions/log4j-cve-2021-45105/m-p/1128519#M32099 <P>Just checking what other vendors have suggested.</P><P>The specific flaw exists within the StrSubstitutor class. The issue results from the lack of proper validation of user-supplied data, which can result in a resource exhaustion condition. An attacker can leverage this vulnerability to create a denial-of-service condition on the process.</P><P>recommends write-protecting Log4j configuration files.</P><P>My question would be for ESRI - Is removal of the StrSubstitutor class an option?</P><P>&nbsp;</P> Thu, 23 Dec 2021 01:18:30 GMT https://community.esri.com/t5/arcgis-enterprise-questions/log4j-cve-2021-45105/m-p/1128519#M32099 BrianParker2 2021-12-23T01:18:30Z