Good afternoon, is there any patches in the works or potential mitigation steps for the latest java log4j vulnerability (CVE-2021-44228)? I know that GeoEvent server uses log4j and can assume some other enterprise server's or portal potentially do as well. Any help would be appreciated in resolving this zero-day.
Solved! Go to Solution.
Our current statement is available on https://trust.arcgis.com. Look for more updates as this issue evolves.
I'm also waiting to hear any news from ESRI about this.
A quick filesystem search on a stand-alone ArcGIS Server installation shows numerous components using log4j. This won't just be about patching a file, but lots of files involving multiple components of multiple products. A not-so-happy holidays for Esri dev teams.
I found it here on my Portal for ArcGIS server:
The file is located in a 10.5.1 backup folder. I am currently running 10.8.1. Does it matter?
Sorry for the delayed reply. I see what you're saying, we made a backup when you upgraded. That's a backup in case your upgrade failed and you needed to bail out. I'd maybe archive it on an offline drive and just delete that directory.
That version of Log4J is not affected. Only versions 2.0 - 2.14.1
Following. Thanks for raising.