ArcGIS Enterprise Log4j Vulnerability (CVE-2021-44228) Patch or Mitigation?

Carl_Flint · ‎12-11-2021

Good afternoon, is there any patches in the works or potential mitigation steps for the latest java log4j vulnerability (CVE-2021-44228)? I know that GeoEvent server uses log4j and can assume some other enterprise server's or portal potentially do as well. Any help would be appreciated in resolving this zero-day.

Thanks,

Carl Flint, GISP

MareikeKociok · ‎12-16-2021

Hey Lauren,

We also had problems with publishing of hosted feature services in 10.9. But this had nothing to do with the scripts but with this bug: BUG-000142158

Restarting the ArcGIS Server service helped. And if this is the bug, it is fixed in 10.9.1.

LaurensGIS · ‎12-17-2021

Hi Mareike,

Thank you. But I somehow can't find that bug. Do you maybe have a link to it?

ps I'm 100% sure the issue started after I applied the scripts. But not 100% sure it's the cause. Maybe something else went wrong during restart of the services.

RandallWilliams · ‎12-17-2021

@LaurensGIS Please open a case with Esri Support. We haven't yet seen an issue that is directly caused by this script - it only modifies Log4J files. We did test these script extensively before we released them.

LaurensGIS · ‎12-17-2021

The issue is resolved by just rebooting the server. I guess something went wrong when I started the AGS-service after running the scripts. This caused the existing hosted feature services to stop working.

My tests to publish hosted feature services failed. But that probably had a different cause. I tested with a feature class that is used in a relationship class. I think that generates this error: https://support.esri.com/en/technical-article/000014995.

After the reboot and testing with a different fc, I could successfully publish a hosted feature service.

So all is good now. Although I hope Esri will release an update for ArcGIS Pro shortly, because my IT department wants to get rid of the problematic log4j-files in ArcGIS Pro.

RandallWilliams · ‎12-17-2021

Look for an update in our advisory re: PRO today.

FWIW: Our response has initially focused first on what's most at risk and cascades from there. We are now moving to make statements regarding what's less at risk.

Carl_Flint · ‎12-16-2021

10.5.x is in "Mature Support" so I'm pretty sure that means ESRI doesn't provide any patches for those versions any longer. It would be best to migrate to a newer version that is supported in my honest opinion.

Technically 10.6.x will also enter "Mature Support" beginning January 2022. So for those that are on 10.6.x they caught this log4j vulnerability at the end of patch support luckily for them.

ESRI Product lifecycle doc

Having ran these scripts and looked at the source they are looking iteratively through folders beginning from the path you provide down the rabbit hole to find (wildcard)log4j-core(wildcard).jar and pax-logging-log4j2\(wildcard)\(wildcard).jar. So if it doesn't exist in the path it won't report back any instances of the potentially vulnerable code within. Like @RandallWilliams points out below it may mean that these systems are not subject to the log4j but may be to others that haven't been patched and not blown up in the media.

Carl Flint, GISP

RandallWilliams · ‎12-16-2021

100%. Let's keep it real:

Customers are (rightly) asking questions about a severe, media hyped vulnerability.

But what are customers doing to address the OTHER severe, NON-media hyped vulnerabilities we've patched in accordance with our product life cycle (where patches aren't available for software (like 10.5.x) in mature support)?

Esri has released 24 CVEs since becoming a CNA this year. There will be more early next year.

None of the patches for these CVEs target software in mature support.

CortWilson · ‎12-16-2021

Yes... of course.

The bulletin states, "The scripts have been validated for versions 10.6 and above, however they should work on older versions of ArcGIS Enterprise and ArcGIS Server as well."

Well I tested it on 10.5, and now sharing the result 🙂

JohnGibson2 · ‎12-16-2021

Hi Cort, I looked at Server at both 10.3.1 and 10.6.1 for this issue earlier. Most likely 10.5 has no installs of log4j v2 (which is where the current vulnerability lies). However it most likely has installs of log4j v1 which is now deprecated, and has bugs of it's own (but not as severe). So the supplied patch won't do anything for your 10.5 install. I can only suggest following ESRI's advice in the blog re upgrades etc. Of course upgrading is often easier said than done, depending on your resources.

BrianParker2 · ‎12-16-2021

I have run the mitigation scripts and I they believe worked (removed the class), still not sure of any consequences to removing the lookup. It would be helpful to understand how Apache products are used by ArcGIS Server and how. Is Log4j used for logging in ArcGIS Server perhaps? I just want to understand at least at a high level.

Given the risk in using open source, the dependencies, should in my opinion, be documented.