Community

ArcGIS Enterprise Log4j Vulnerability (CVE-2021-44228) Patch or Mitigation?

47064
162
Jump to solution
12-11-2021 09:13 AM
Carl_Flint
by
New Contributor III
‎12-11-2021 09:13 AM

Good afternoon, is there any patches in the works or potential mitigation steps for the latest java log4j vulnerability (CVE-2021-44228)?  I know that GeoEvent server uses log4j and can assume some other enterprise server's or portal potentially do as well.  Any help would be appreciated in resolving this zero-day.

Thanks,

Carl Flint, GISP
162 Replies
Carl_Flint
by
New Contributor III
‎12-15-2021 04:59 PM

Install miniconda3, it's a minimal anaconda python setup.  I'd also suggest looking into chocolatey or scoop as a package manager for windows. Make your own life a little easier.

Carl Flint, GISP
jorisfrenkel
by
Occasional Contributor II
‎12-16-2021 02:06 AM

When running the Python script with the --delete, I get the error

OSError: [WinError 145] The directory is not empty: 'C:\\Users\\<user>\\AppData\\Local\\Temp\\2\\tmptl5ay2w1\\org\\apache\\logging\\log4j\\core\\tools'

The listing runs fine.

Tags (1)
0 Kudos
ThomasIllingworth
by
New Contributor III
‎12-16-2021 02:19 AM

We've just got a similar for our attempt on our test environment

We ran the CMD as adminstrator

 OSError: [WinError 145] The directory is not empty: 'C:\\Users\\ADEB3D~1\\AppData\\Local\\Temp\\tmpw8tj9mrg\\org\\apache\\logging\\log4j\\core'

We ran the list again afterwards it patched the first 1 of 5 but not the 

D:\ArcGIS\Server\framework\lib\shared\log4j-core-2.8.2.jar -- patched
D:\ArcGIS\Server\tools\configurebasedeployment\lib\log4j-core.jar -- needs patching
D:\ArcGIS\Server\tools\createsite\lib\log4j-core.jar -- needs patching
D:\ArcGIS\Server\tools\upgradebasedeployment\lib\log4j-core.jar -- needs patching
D:\ArcGIS\Server\tools\upgradeserver\lib\log4j-core.jar -- needs patching

Anyone got any suggestions?

Tags (1)
ThomasIllingworth
by
New Contributor III
‎12-16-2021 02:33 AM

We ran the tool again and this time it worked, we are considering running this again to see if it is a one off

D:\Log4j>D:\ArcGIS\Server\framework\runtime\ArcGIS\bin\Python\envs\arcgispro-py3\python.exe log4shellmitigation.py --list D:\ArcGIS\Server
Product home: D:\ArcGIS\Server
Pattern to search: D:\ArcGIS\Server\**\*log4j-core*.jar
Pattern to search: D:\ArcGIS\Server\**\pax-logging-log4j2\*\*.jar
Found files: 5
D:\ArcGIS\Server\framework\lib\shared\log4j-core-2.8.2.jar -- patched
D:\ArcGIS\Server\tools\configurebasedeployment\lib\log4j-core.jar -- patched
D:\ArcGIS\Server\tools\createsite\lib\log4j-core.jar -- patched
D:\ArcGIS\Server\tools\upgradebasedeployment\lib\log4j-core.jar -- patched
D:\ArcGIS\Server\tools\upgradeserver\lib\log4j-core.jar -- patched
Summary:
System has been patched. No updates are needed.
All done!

D:\Log4j>

jorisfrenkel
by
Occasional Contributor II
‎12-16-2021 02:46 AM

I tried several times, but it doesn't reach the end.

Joris Frenkel

0 Kudos
jorisfrenkel
by
Occasional Contributor II
‎12-16-2021 03:19 AM

Seems to be a Windows file locking issue:

https://stackoverflow.com/questions/303200/how-do-i-remove-delete-a-folder-that-is-not-empty

I changed the two lines in the script where temp folders are removed to:

shutil.rmtree(temp_dir_name, ignore_errors=True)

(adding ignore_errors=True)

and now it works.

Tags (1)
MattFancher1
by
New Contributor III
‎12-22-2021 01:17 PM

Thanks @jorisfrenkel! The script ran without issue for me on all but one server. But then I made the change you suggested and it got the job done.

0 Kudos
MareikeKociok
by
New Contributor II
‎12-16-2021 02:27 AM

I have a question about the recommended scripts regarding ArcGIS Enterprise und ArcGIS Server stand-alone 10.5-10.5.1 (Yes, we know the versions are quite old, but upgrading was not possibel due to internal reasons so fare).

The blog states the scripts have been validated for versions 10.6 and above, however they should work on older versions of ArcGIS Enterprise and ArcGIS Server as well.

@RandallWilliamsCould you let us know if Esri plans to test this for 10.5.x as well? This message is to uncertain at the moment to roll out the scripts in customer productions system. Or vice versa, why should the work in the older version as well. Could you give me some background information about this? Thanks a lot for all your help.

CortWilson
by
Occasional Contributor
‎12-16-2021 10:12 AM

@RandallWilliams 

I've ran the --list function from the mitigation script on our 10.5 ArcGIS Server and I receive 0 results....

Is this good news? or bad news in that the script just simply doesn't work on 10.5......

Pattern to search: c:\Program Files\ArcGIS\Server\**\*log4j-core*.jar
Pattern to search: c:\Program Files\ArcGIS\Server\**\pax-logging-log4j2\*\*.jar
Found files: 0
All done!

C:\log4shellmitigation>

 

0 Kudos
LaurensGIS
by
New Contributor III
‎12-16-2021 05:53 AM

We have ArcGIS Enterprise 10.9. This morning I executed the recommended scripts. 

Now my hosted feature services don't work anymore. I can't publish new ones either. Is this just my bad luck or does anyone else have the same issue?

0 Kudos