ArcGIS Enterprise Log4j Vulnerability (CVE-2021-44228) Patch or Mitigation?

Carl_Flint · ‎12-11-2021

Good afternoon, is there any patches in the works or potential mitigation steps for the latest java log4j vulnerability (CVE-2021-44228)? I know that GeoEvent server uses log4j and can assume some other enterprise server's or portal potentially do as well. Any help would be appreciated in resolving this zero-day.

Thanks,

Carl Flint, GISP

BrianParker2 · ‎12-13-2021

I had a question about the risk. Based on what I can find out, the risk would only apply to externally facing LDAP and other JNDI related endpoints? applications such as GeoEvent Server, GIS Portal or Geoportal implementations?

Internal implementations of ArcGIS Server or even External implementations that don't use Active DIrectory, from what I can tell, should be risk free. Is this correct?

MichaelDavis3 · ‎12-13-2021

See this link for details: https://blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2021-44228/

Essentially someone can trigger a URL and download a payload if Log4j has access to the internet. The application doesn't have to have anything to do with LDAP it's just a way to trigger the URL.

With a : present in the key, as in Example Removed to get through ESRI WAF there’s no prefix and the LDAP server is queried for the object. And these Lookups can be used in both the configuration of Log4j as well as when lines are logged.
So all an attacker has to do is find some input that gets logged and add something like Example Removed to get through ESRI WAF. This could be a common HTTP header like User-Agent(that commonly gets logged) or perhaps a form parameter like username that might also be logged.

Pei-SanTsai · ‎12-14-2021

Question regarding ArcGIS Pro, "Recent releases of ArcGIS Pro contain Log4j but are not known to be exploitable as the software does not listen for remote traffic." What version is the Log4j on ArcGIS Pro 2.9? I just updated my ArcGIS Pro on my server and checked the file that I have "log4j-1.2.17.jar" version. Could I interpreted as ArcGIS Pro doesn't listen remote traffic, so shouldn't be an issue if I have an older version of log4j?

I'm on ArcGIS Enterprise 10.8.1, in place upgrade last October. I have log4j-1.2.17.jar version and someone mentioned 10.8.1 is shipped with log4j-2.x. Wondering if this wasn't updated during the upgrade?

ToddCopeland · ‎12-15-2021

Hi Randall,

Does the current mitigation script address this vulnerability in the ArcGIS web adaptors?

Thanks,

Todd

RandallWilliams · ‎12-15-2021

The web adaptor is not exploitable. The Java web adaptor contains log4j-api-[version#].jar, which is not impacted by this issue.

ToddCopeland · ‎12-15-2021

Thank you for the update @RandallWilliams!

TonyCollins · ‎12-17-2021

Just in case this helps anyone else, we successfully run the mitigation script today against Enterprise 10.8 hosted in Azure deployed using Cloud Builder.

Thank you for all the work getting the script together so quickly.

RobertWetmore · ‎12-21-2021

A scan, after running the script for ArcGIS\Server, ArcGIS\Portal and ArcGIS\DataStore still shows this present in our install:

C:\arcgis\arcgisportal\dsdata\elasticsearch_7.3.0\lib\log4j-core-2.11.1.jar

can this simply be deleted?

RandallWilliams · ‎12-21-2021

The scripts don't delete log4j*.jar - they delete the jndilookup.class from inside the .jar.

LaurensGIS · ‎12-21-2021

You made the same mistake I did. You missed step 8: https://support.esri.com/en/Technical-Article/000026950

So you also have to run the script on this directory c:\arcgis\arcgisportal