Select to view content in your preferred language

ArcGIS Enterprise Log4j Vulnerability (CVE-2021-44228) Patch or Mitigation?

54786
162
Jump to solution
12-11-2021 09:13 AM
Carl_Flint
Occasional Contributor

Good afternoon, is there any patches in the works or potential mitigation steps for the latest java log4j vulnerability (CVE-2021-44228)?  I know that GeoEvent server uses log4j and can assume some other enterprise server's or portal potentially do as well.  Any help would be appreciated in resolving this zero-day.

Thanks,

Carl Flint, GISP
162 Replies
RandallWilliams
Esri Regular Contributor

You'll need to restart all ArcGIS Enterprise components for the processes to pick up the environment variable.

ThomasIllingworth
Regular Contributor

Hi Randall

Quick question is there a guide anywhere for setting up the environment variable for ArcGIS anywhere? Never set up one myself before

Thanks

Tom

RexRobichaux
Frequent Contributor

Hey Thomas- I posted a video link a few comments down. Hope it's helpful. 

 

-Rex

ThomasIllingworth
Regular Contributor

Hey Rex

Thanks for the post video link and comments below will take a look 🙂

0 Kudos
RexRobichaux
Frequent Contributor

I'm not speaking authoritatively, but when I created the system environment variable on our servers, I restarted each Windows Service associated with ArcGIS Enterprise (ArcGIS Data Store, ArcGIS Portal, and ArcGIS Server). A server restart should do the trick as well as a more blanket approach. 

AndrewFarrar
Frequent Contributor

Anyone have any insight as to where or how they are creating this system environment variable?

Carl_Flint
Occasional Contributor
0 Kudos
RexRobichaux
Frequent Contributor

EDIT: As Randall has mentioned below, it looks like Apache has retracted their mitigation suggestion of adding the LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable. Therefore, this won't be an effective (at least not fully) technique to mitigate  risk. From Apache as of this evening: 

  

Other insufficient mitigation measures are: setting system property log4j2.formatMsgNoLookups or environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true for releases >= 2.10, or modifying the logging configuration to disable message lookups with %m{nolookups}, %msg{nolookups} or %message{nolookups} for releases >= 2.7 and <= 2.14.1.

The reason these measures are insufficient is that, in addition to the Thread Context attack vector mentioned above, there are still code paths in Log4j where message lookups could occur: known examples are applications that use Logger.printf("%s", userInput), or applications that use a custom message factory, where the resulting messages do not implement StringBuilderFormattable. There may be other attack vectors.

The safest thing to do is to upgrade Log4j to a safe version, or remove the JndiLookup class from the log4j-core jar.

 

Original: I can post screen shots if you'd like, but I think this video covers the workflow pretty well. Just ensure to restart the ArcGIS Enterprise (Server/Portal/Data Store) Services under Services on each server following the creation of the variable (this video shows them restarting other services at the end). This assumes you are running ArcGIS Enterprise on a Windows Server. 

 

https://www.youtube.com/watch?v=CoUi4Hk6P3Y&t=0s

rshihab
Occasional Contributor

thank you so much; does this will also be applicable to 10.6

Ramla Shihab
0 Kudos
SimonSchütte_ct
Frequent Contributor

Administrators can set the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to govern the vulnerable Log4j functions.  This can partially mitigate attacks against ArcGIS Enterprise for this vulnerability and will not harm the software.
https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-software-and-cve-2...

@RandallWilliamsWhen you state this can partially mitigates attacks - could you elaborate what part is still left vulnerable?