ArcGIS Enterprise Log4j Vulnerability (CVE-2021-44228) Patch or Mitigation?

Carl_Flint · ‎12-11-2021

Good afternoon, is there any patches in the works or potential mitigation steps for the latest java log4j vulnerability (CVE-2021-44228)? I know that GeoEvent server uses log4j and can assume some other enterprise server's or portal potentially do as well. Any help would be appreciated in resolving this zero-day.

Thanks,

Carl Flint, GISP

RandallWilliams · ‎12-12-2021

Our current statement is available on https://trust.arcgis.com. Look for more updates as this issue evolves.

View solution in original post

IngaPlayle1 · ‎12-11-2021

I'm also waiting to hear any news from ESRI about this.

JoshuaBixby · ‎12-11-2021

A quick filesystem search on a stand-alone ArcGIS Server installation shows numerous components using log4j. This won't just be about patching a file, but lots of files involving multiple components of multiple products. A not-so-happy holidays for Esri dev teams.

AndresEcheverri · ‎12-11-2021

Really interested on this topic too.

JohnBrockwell · ‎12-11-2021

I found it here on my Portal for ArcGIS server:

E:\arcgisportal\upgrade-backup\10.5.1\dsdata\elasticsearch_2.3.2\lib

File Name:

apache-log4j-extras-1.2.17.jar

The file is located in a 10.5.1 backup folder. I am currently running 10.8.1. Does it matter?

RandallWilliams · ‎12-15-2021

Sorry for the delayed reply. I see what you're saying, we made a backup when you upgraded. That's a backup in case your upgrade failed and you needed to bail out. I'd maybe archive it on an offline drive and just delete that directory.

ALLANGILLIS · ‎12-17-2021

That version of Log4J is not affected. Only versions 2.0 - 2.14.1

https://www.zdnet.com/article/log4j-zero-day-flaw-what-you-need-to-know-and-how-to-protect-yourself/

OmerBen-Asher · ‎12-11-2021

also interested

Scott_Tansley · ‎12-12-2021

Following. Thanks for raising.

Scott Tansley
https://www.linkedin.com/in/scotttansley/

MarkusRuottinen · ‎12-12-2021

Also following.