Good afternoon, is there any patches in the works or potential mitigation steps for the latest java log4j vulnerability (CVE-2021-44228)? I know that GeoEvent server uses log4j and can assume some other enterprise server's or portal potentially do as well. Any help would be appreciated in resolving this zero-day.
Thanks,
Solved! Go to Solution.
I'd like more documentation/guidance for installing python on the Datastore machine. I don't see a python download on MyEsri and going directly from the Python website there's lots of versions to choose from. Our deployment has Datastore on a separate machine from Portal or Server, so no python installed.
Hi Ingrid, I downloaded and installed 3.10.1 for Windows from the Python.org website. I did a minimal install on the Datastore machines and it worked perfectly.
After installation is there anything special required for environment setup? And did you install under the user account or elsewhere on the machine? I ran into some issues with cmd recognizing the python.exe inputs. I think I saw another post elsewhere in this thread about installing ArcGIS Pro just to get Python setup...
Following.
Hi
we use some older installs of ArcGIS Server (10.3.1 and 10.6.1). Scanning the install for log4j shows only older versions of log4j under C:\Program Files\ArcGIS\Server\framework dated 2005 and with version 1.2.12 in the manifest. I could not find any reference to the class or function names cited in the CVE-2021-44228 advisory. My initial thought is that these versions of ArcGIS Server do not use log4j v2 and may not be vulnerable as a result.
I used this command from CMD using the Java SDK utility jar.exe to list the Java classes :
C:\Program Files\ArcGIS\Server\framework>forfiles /S /M *.jar /C "cmd /c jar -tvf @file | findstr /C:"log4j" && echo @path" > C:\Temp\log4j_info.txt
(see https://www.windows-commandline.com/search-classes-in-jar-file/)
Unzipping a copy of a Jar file (rename & unzip) shows the version in the manifest.mf file
Regards
John
looking at my servers, some have log4j 2.x, some don't - I realize it is still early on this, but an exact matrix of what does and doens't have this would be really useful.
I am on ArcGIS Server 10.6.1
I have found this Jar, which I think is affected :
"C:\Program Files\ArcGIS\Server\framework\lib\shared\log4j-core-2.8.2.jar"
Following the suggestions from
https://blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2021-44228/
I am going to delete from that Jar:
org/apache/logging/log4j/core/lookup/JndiLookup.class
I am also going to add the System environment variable
LOG4J_FORMAT_MSG_NO_LOOKUPS=true
Then reboot
Question: Are there any other Jars to fix or reconfigure?
The utility available at GitHub - logpresso/CVE-2021-44228-Scanner: Vulnerability scanner and mitigation patch for Log4j2 CVE... looks like a useful check.
Using the utility on ArcGIS Server 10.3.1 (Server only, no extensions) on Windows Server lists no vulnerabilities.
Using the utility on ArcGIS Server 10.6.1 (Server only, no extensions) on Windows Server lists the following issues :
C:\Users\bloggsj>D:\Temp\Utilities\log4j2-scan.exe "C:\Program Files\ArcGIS"
[*] Found CVE-2021-44228 vulnerability in C:\Program Files\ArcGIS\Server\framework\lib\shared\log4j-core-2.8.2.jar, log4j 2.8.2
[*] Found CVE-2021-44228 vulnerability in C:\Program Files\ArcGIS\Server\tools\configurebasedeployment\lib\log4j-core.jar, log4j 2.8.2
[*] Found CVE-2021-44228 vulnerability in C:\Program Files\ArcGIS\Server\tools\createsite\lib\log4j-core.jar, log4j 2.8.2
[*] Found CVE-2021-44228 vulnerability in C:\Program Files\ArcGIS\Server\tools\upgradebasedeployment\lib\log4j-core.jar, log4j 2.8.2
[*] Found CVE-2021-44228 vulnerability in C:\Program Files\ArcGIS\Server\tools\upgradeserver\lib\log4j-core.jar, log4j 2.8.2
Scanned 5264 directories and 45936 files
Found 5 vulnerable files
Completed in 22.24 seconds
Regards
John
Ran the Github check:
10.9.1 GIS Server ships with log4j 2.14.1. Have not checked other components in 10.9.1
10.8.1 Enterprise has a mix including 2.11.1
ESRI public release states (for 10.8.x and up) that "You will still see vulnerable Log4j version numbers on these systems, however it is not exploitable as their Java Runtime Environments (JRE) do not execute the code."
Be careful with logic when thinking that 10.3.1 and other older versions with 1.x are not vulnerable simply because not popping in the check.
From Apache for those on older/EOL Enterprise: Please note that Log4j 1.x has reached end of life and is no longer supported. Vulnerabilities reported after August 2015 against Log4j 1.x were not checked and will not be fixed.
Hope this helps.
Good point about 10.3.1, thanks Erik. ArcGIS Servers (v.10.3.1) use log4j v1.2.12 which is however vulnerable to some much older but lesser issues - see https://logging.apache.org/log4j/1.2/. This has a threat score CVSS of 7.5 and this threat has been around for many years. There is no fix.