ArcGIS Enterprise Log4j Vulnerability (CVE-2021-44228) Patch or Mitigation?

Carl_Flint · ‎12-11-2021

Good afternoon, is there any patches in the works or potential mitigation steps for the latest java log4j vulnerability (CVE-2021-44228)? I know that GeoEvent server uses log4j and can assume some other enterprise server's or portal potentially do as well. Any help would be appreciated in resolving this zero-day.

Thanks,

Carl Flint, GISP

RandallWilliams · ‎12-14-2021

We removed that statement as information has come out contraindicating that advice.

https://logging.apache.org/log4j/2.x/security.html

Pei-SanTsai · ‎12-14-2021

I'm using ArcGIS Enterprise 10.8.1 and did in place upgraded last year. Our Cyber security team generated a list of my servers impacted by the Apache Log4j vulnerability. For example, ArcGIS Server at C:\Program Files\ArcGIS\Server\framework\runtime\zookeeper\lib\log4j-1.2.17.jar. I see someone's post that 10.8.1 ship with 2.x version, wondering why I have 1.2.17 version? Our cyber security team suggested fixed version : 2.15.0. I don't know if I should be downloading version of 2.15.0 to replace the older version in all the files that they scanned on my GIS servers, which impact stand alone ArcGIS Server, federated GIS server, geoevent server, datastore and portal. Or wait till ESRI has more detail for the mitigation?

DataStore: C:\Program Files\ArcGIS\DataStore\framework\runtime\elasticsearch_6.4.2\lib\log4j-core-2.11.1.jar

GIS Server/Federated Server/ GeoEvent Server: C:\Program Files\ArcGIS\Server\framework\runtime\zookeeper\lib\log4j-1.2.17.jar

Portal seems like in the upgrade backup folder only: arcgisportal\upgrade-backup\10.8.0\dsdata\elasticsearch_7.3.0\lib\log4j-core-2.11.1.jar

ArcGIS Pro: C:\Program Files\ArcGIS\Pro\java\runtime\spark\jars\log4j-1.2.17.jar

RandallWilliams · ‎12-14-2021

It's a dependencies upon dependencies issue. Esri doesn't "own" zookeeper or elasicsearch or spark. Those all come from 3rd parties, and those third parties have to themselves provide fixes for us to incorporate, then perform all the regression testing etc. Its overly simplistic (bordering on naïve) for an IT group to say "Just replace this file and poof, problem solved." If it was that easy, we'd have had a fix already. Software in general just doesn't work like that. Just replacing those files will simply not work.

We are working feverishly on this issue and have been since Friday. We are close - assuming Apache doesn't introduce more whammies. Like for instance, the advice your IT group provided is already out of date. Log4J 2.16 was released yesterday to address another issue, and the guidance provided by Apache changes daily. Our advisory will continue to be updated this evening.

https://logging.apache.org/log4j/2.x/security.html

Scott_Tansley · ‎12-14-2021

Randall,

Repsect to you and the team. I honestly think you're doing an awesome job under the circumstances. Thanks for being so transparent in these pages.

Regards,

Scott Tansley
https://www.linkedin.com/in/scotttansley/

AnnetteFarrell · ‎12-15-2021

Hi Randall, Thanks for all your work so far.

Are there any expectations as to when a fix for 10.7.1 will be available?

Updating the WAF alone for our public facing ArcGIS Enterprise environments is still considered a risk by our security team. Upgrading to 10.9.1 is something we had scheduled for the end of January and due to multiple interfacing applications is not something we can easily do.

Our systems are now 3 days offline.

Any information regarding a patch for 10.7.1 would be appreciated.

Scott_Tansley · ‎12-14-2021

Just a heads up for everyone. I undertook a scheduled 10.8.1 to 10.9.1 upgrade of an Enterprise Base Deployment. The Portal failed to create it's Windows Service. There was no information available to me in the Windows OS. My client reverted to the VM snapshot, uninstalled the Anti-Virus and we reinstalled. Everything has worked. The evidence from a single install suggests that AV's may be attacking the log4j components, obviously there may be different behaviours between AV's and it may be a false-positive, but knowing people will be scrambling to upgrade, I wanted to share a learning. Without the AV, the reverted system upgraded effortlessly and as expected.

Just something to keep in the back of your mind.

Scott Tansley
https://www.linkedin.com/in/scotttansley/

JimSahlie · ‎12-15-2021

Do you mind sharing which AV product your client is using?

JohnBrockwell · ‎12-15-2021

My Two Cents: McAfee EndPoint meddled with my upgrades from 10.5.1 to 10.6.1, & 10.6.1 to 10.7.1. I now request it be disabled prior to starting any upgrade. I will never ever conduct an upgrade/install with A/V running. Particularly, the McAfee Scanner Service.

Scott_Tansley · ‎12-15-2021

I used to do the same a few years ago, but haven’t needed to more recently. It’s certainly a concern again now though.

Scott Tansley
https://www.linkedin.com/in/scotttansley/

Scott_Tansley · ‎12-15-2021

Trend Micro Deep Security

Scott Tansley
https://www.linkedin.com/in/scotttansley/