ArcGIS Enterprise Log4j Vulnerability (CVE-2021-44228) Patch or Mitigation?

45909
162
Jump to solution
12-11-2021 09:13 AM
Carl_Flint
New Contributor III

Good afternoon, is there any patches in the works or potential mitigation steps for the latest java log4j vulnerability (CVE-2021-44228)?  I know that GeoEvent server uses log4j and can assume some other enterprise server's or portal potentially do as well.  Any help would be appreciated in resolving this zero-day.

Thanks,

Carl Flint, GISP
162 Replies
Kai_Ole_Rogge_Allianz
New Contributor

ArcGIS Enterprise base deployment shows more then 50 affected .jar files (Esri and 3rd party like Elasticsearch).

Looking forward to any updates/patches/support.

Cheers
Kai

0 Kudos
MarkusRuottinen
New Contributor II

Hi

Do you know is it possible to set environment variables which ArcGIS Server uses in windows server.?

I ask this because https://logging.apache.org/log4j/2.x/security.html says: "Mitigation: In releases >=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. "

I just ask, I don't know is this correct solution.

Br

Markus

Swani_Jesus_Captonsiluvairajan
New Contributor III

Do we have any updates on this?   Do we have to shutdown the portal and server services as a precaution?

 

RandallWilliams
Esri Regular Contributor

Our current statement is available on https://trust.arcgis.com. Look for more updates as this issue evolves. 

Tags (2)
GianniCampanile2
New Contributor III

Hi Randall,

the statement does not make clear a couple of important points:

- does 10.9.1 version definitevely solves the problem ?

- is the problem only for ArcGIS Enterprise JAVA version or also for .Net one ?

Thanks

Gianni

AdrianMarsden
Occasional Contributor III

the blog says "mitigated" with 10.9 - "to make (something) less severe, harmful, or painful. "

GianniCampanile2
New Contributor III

Hi Adrian,

the mitigation statement is for 10.8.1 version, while regarding 10.9 it says "We recommend updating to the latest version of 10.9.1 for the strongest security posture" and I can't figure out if it's a solution or just a generic recommendation.

Gianni

AdrianMarsden
Occasional Contributor III

I read it differently 

  1. Upgrade to ArcGIS Enterprise 10.8 or later, as risk is mitigated with these versions – We recommend updating to the latest version of 10.9.1 for the strongest security posture.

so version 10.8 and above "mitigate" and of course 10,9 will always be best

MichaelRobb
Occasional Contributor III

10.9 is not ideal as 10.9 is a 'short release'.   it would have to be 10.9.1

SreehariGomasani
New Contributor

 

How do I check the Log4j Vulnerability to my current system? As I am currently using  ESRI Enterprise 10.4