Community

ArcGIS Enterprise Log4j Vulnerability (CVE-2021-44228) Patch or Mitigation?

46905
162
Jump to solution
12-11-2021 09:13 AM
Carl_Flint
by
New Contributor III
‎12-11-2021 09:13 AM

Good afternoon, is there any patches in the works or potential mitigation steps for the latest java log4j vulnerability (CVE-2021-44228)?  I know that GeoEvent server uses log4j and can assume some other enterprise server's or portal potentially do as well.  Any help would be appreciated in resolving this zero-day.

Thanks,

Carl Flint, GISP
162 Replies
Aaron-L
by
New Contributor II
‎12-13-2021 04:54 PM

Can someone from ESRI please provide an ETA on a patch?

It is very worrisome to be running a version of log4j that is on the vulnerable list and just hoping that it is "mitigated" as stated in the ESRI Blog.

0 Kudos
randoodlydingdangdodlyWilliams
by
New Contributor II
‎12-13-2021 05:01 PM

 

 

MichaelDavis3
by
Occasional Contributor III
‎12-13-2021 06:05 PM

Thanks randoodlydingdangdodlyWilliams... if that is your real name.  It would be great if ESRI could include guidance or advice on the "fix" applied by tools like this: https://github.com/logpresso/CVE-2021-44228-Scanner

I understand you would prefer everyone update their ArcGIS Enterprise servers to 10.8.1+ but here it is 2021 and ArcGIS Server upgrades continue to be multi-day affairs, fraught with peril, requiring system snapshots and frequently failing and requiring rollbacks.  There is a reason so many customers are not on the latest version of AGS.  

berniejconnors
by
Occasional Contributor III
‎12-14-2021 04:20 AM

Yes, MichaelDavis3, that is our experience with ArcGIS Server upgrades too.  Our last upgrade project took us from 10.2.2 to 10,7,1 and it lasted two years and was fraught with peril, problems, testing and performance tuning, lots of performance tuning.

Bernie.

0 Kudos
Ikebana
by
New Contributor II
‎12-14-2021 04:33 AM

Thats a 5 year jump...

What's the cause for not upgrade with shorter intervals?

0 Kudos
berniejconnors
by
Occasional Contributor III
‎12-14-2021 04:45 AM

We are a small team and the upgrades take soooo much time.  We would rather spend our time building better end user products and new datasets instead of wrestling with ArcGIS Server upgrades. 

Ikebana
by
New Contributor II
‎12-14-2021 05:55 AM

ArcGIS Server had issues with upgrading in older versions. These days I perform a complet base enterprise upgrade in about 8 hours.

I think it's crucial to plan for an upgrade plan before even start thinking about using software. And this is not just due to ArcGIS. It's the same for windows server OS or SQL managment.

Ofc it takes more time if you have a lot of integration with other systems and so on, but upgrades today is not that big deal if you have your server enviroment in order. Thats my view of this :).

RandallWilliams
by Esri Regular Contributor
Esri Regular Contributor
‎12-14-2021 07:48 AM

Lol, yes it's me. I have both corporate and my AGO profiles. I changed my AGO username years ago when doing some fuzz testing. Sorry for the confusion. 

AndrewFarrar
by
Occasional Contributor
‎12-14-2021 07:51 AM

I figured as much, just wanted to confirm!

0 Kudos
AndrewFarrar
by
Occasional Contributor
‎12-14-2021 07:03 AM

@RandallWilliams , just confirming that this post was actually from you?

0 Kudos