topic Re: Log4J version update? in ArcGIS Enterprise Questions

Log4J version update?

hkrebs95 — Wed, 02 Feb 2022 19:35:17 GMT

Hello all,

I'm just curious if ESRI is planning to include a Log4J version update in any upcoming releases/patches? Our leadership has determined that we cannot leave systems online that have Log4J < 2.17 regardless of whether the system can actually be exploited. I'm hoping with a forecasted patch we can keep our systems online knowing that a fix is coming down the pipeline.

Thanks so much!

Re: Log4J version update?

wayfaringrob — Wed, 02 Feb 2022 19:41:26 GMT

This may help https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-software-and-cve-2021-44228-aka-log4shell-aka-logjam/

Re: Log4J version update?

hkrebs95 — Wed, 02 Feb 2022 19:47:35 GMT

Thank you! I have reviewed that in the past. Unfortunately our leadership is being rather tone-deaf to the actual exploitability of the vulnerability and only cares about the version number. I did review our 1560001 plugin out of Nessus and it confirms the JNDI lookup class does not exist. If only that were enough.

Re: Log4J version update?

JonEmch — Thu, 03 Feb 2022 16:16:02 GMT

Hey there @hkrebs95, We have put out communication on this here:

https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-software-and-cve-2021-44228-aka-log4shell-aka-logjam/

For mitigation efforts and updates. While I cannot comment on version numbers, I know there are efforts underway to address these concerns. Please reach out to our security team here: https://trust.arcgis.com/en/security-concern/ with any additional questions.

Re: Log4J version update?

Oiligriv — Fri, 04 Feb 2022 09:13:12 GMT

ArcGIS Enterprise security patches will be released throughout Q1 2022, with more specific dates posted here as the effort progresses.

source: https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-software-and-cve-2021-44228-aka-log4shell-aka-logjam/