Select to view content in your preferred language

Log4j Vulnerabilities: Should we install Log4j Vulnerabilities patches after Esri remedy scripts had been applied

1171
5
Jump to solution
04-20-2022 08:49 AM
Labels (1)
chintakandel
Regular Contributor

I'd applied Esri remedy scripts to mitigate Log4j Vulnerabilities in December 2021. Esri released  Log4j Vulnerabilities patches for Portal, Server and Data Store in February 2022. I'm curious whether we have to reapply these Log4j patches since we had  already applied Esri remedy scripts. 

Any suggestions about reapplying Log4j patches?

Thanks,

Chintamani

0 Kudos
1 Solution

Accepted Solutions
ReeseFacendini
Esri Regular Contributor

The python scripts from December where designed to help remove the initial threat, but the patches released in February go back and permanently fix the issue by updating the affected files to the latest secured version of Log4j. It's highly recommended to apply the patches, regardless of running the mitigation scripts.

View solution in original post

0 Kudos
5 Replies
ReeseFacendini
Esri Regular Contributor

The python scripts from December where designed to help remove the initial threat, but the patches released in February go back and permanently fix the issue by updating the affected files to the latest secured version of Log4j. It's highly recommended to apply the patches, regardless of running the mitigation scripts.

0 Kudos
MichaelVolz
Esteemed Contributor

Does the patch require that the server be restarted?

0 Kudos
ReeseFacendini
Esri Regular Contributor

The machine does not need to be restarted, but the Enterprise site will be down for a moment while they install. It would be best to install them outside of business hours, to minimize disruption

0 Kudos
MichaelVolz
Esteemed Contributor

I installed the log4jpatch on a server using AGS Enterprise Patch Notifiication some time ago and under Installed Patches it shows up as installed, yet the Log4j patch also appears under  Available Updates.

As such has this patch been updated so it needs to be installed again?

If so, how can I tell the most recent patch has been applied as opposed to the original patch?

ReeseFacendini
Esri Regular Contributor

The updated Log4j patch corrects an issue with AWS ArcGIS Server deployments. You can install it again, it won't harm anything, but if you don't have an AWS deployment it's not critical. It will say Log4j Patch B, after it's installed

0 Kudos