Community

ArcGIS Enterprise Log4j Vulnerability (CVE-2021-44228) Patch or Mitigation?

46885
162
Jump to solution
12-11-2021 09:13 AM
Carl_Flint
by
New Contributor III
‎12-11-2021 09:13 AM

Good afternoon, is there any patches in the works or potential mitigation steps for the latest java log4j vulnerability (CVE-2021-44228)?  I know that GeoEvent server uses log4j and can assume some other enterprise server's or portal potentially do as well.  Any help would be appreciated in resolving this zero-day.

Thanks,

Carl Flint, GISP
162 Replies
MareikeKociok
by
New Contributor II
‎12-16-2021 06:02 AM

Hey Lauren,

We also had problems with publishing of hosted feature services in 10.9. But this had nothing to do with the scripts but with this bug: BUG-000142158

Restarting the ArcGIS Server service helped. And if this is the bug, it is fixed in 10.9.1.

0 Kudos
LaurensGIS
by
New Contributor III
‎12-17-2021 12:04 AM

Hi Mareike,

Thank you. But I somehow can't find that bug. Do you maybe have a link to it?

ps I'm 100% sure the issue started after I applied the scripts. But not 100% sure it's the cause. Maybe something else went wrong during restart of the services.

0 Kudos
RandallWilliams
by Esri Regular Contributor
Esri Regular Contributor
‎12-17-2021 06:47 AM

@LaurensGIS Please open a case with Esri Support. We haven't yet seen an issue that is directly caused by this script - it only modifies Log4J files. We did test these script extensively before we released them. 

0 Kudos
LaurensGIS
by
New Contributor III
‎12-17-2021 08:03 AM

The issue is resolved by just rebooting the server. I guess something went wrong when I started the AGS-service after running the scripts. This caused the existing hosted feature services to stop working.

My tests to publish hosted feature services failed. But that probably had a different cause. I tested with a feature class that is used in a relationship class. I think that generates this error: https://support.esri.com/en/technical-article/000014995

After the reboot and testing with a different fc, I could successfully publish a hosted feature service.

So all is good now. Although I hope Esri will release an update for ArcGIS Pro shortly, because my IT department wants to get rid of the problematic log4j-files in ArcGIS Pro.

RandallWilliams
by Esri Regular Contributor
Esri Regular Contributor
‎12-17-2021 08:40 AM

Look for an update in our advisory re: PRO today. 

FWIW: Our response has initially focused first on what's most at risk and cascades from there. We are now moving to make statements regarding what's less at risk. 

Carl_Flint
by
New Contributor III
‎12-16-2021 10:21 AM

10.5.x is in "Mature Support" so I'm pretty sure that means ESRI doesn't provide any patches for those versions any longer.  It would be best to migrate to a newer version that is supported in my honest opinion. 

Technically 10.6.x will also enter "Mature Support" beginning January 2022.  So for those that are on 10.6.x they caught this log4j vulnerability at the end of patch support luckily for them. 

ESRI Product lifecycle doc

Having ran these scripts and looked at the source they are looking iteratively through folders beginning from the path you provide down the rabbit hole to find (wildcard)log4j-core(wildcard).jar and pax-logging-log4j2\(wildcard)\(wildcard).jar.  So if it doesn't exist in the path it won't report back any instances of the potentially vulnerable code within.  Like @RandallWilliams  points out below it may mean that these systems are not subject to the log4j but may be to others that haven't been patched and not blown up in the media.

Carl Flint, GISP
RandallWilliams
by Esri Regular Contributor
Esri Regular Contributor
‎12-16-2021 10:27 AM

100%. Let's keep it real:

Customers are (rightly) asking questions about a severe, media hyped vulnerability.

 But what are customers doing to address the OTHER severe, NON-media hyped vulnerabilities we've patched in accordance with our product life cycle (where patches aren't available for software (like 10.5.x) in mature support)?

Esri has released 24 CVEs since becoming a CNA this year. There will be more early next year.

None of the patches for these CVEs target software in mature support.

 

 

CortWilson
by
Occasional Contributor
‎12-16-2021 10:43 AM

Yes... of course.

The bulletin states, "The scripts have been validated for versions 10.6 and above, however they should work on older versions of ArcGIS Enterprise and ArcGIS Server as well."

Well I tested it on 10.5, and now sharing the result 🙂

0 Kudos
JohnGibson2
by
New Contributor II
‎12-16-2021 07:43 PM

Hi Cort, I looked at Server at both 10.3.1 and 10.6.1 for this issue earlier. Most likely 10.5 has no installs of log4j v2 (which is where the current vulnerability lies). However it most likely has installs of log4j v1 which is now deprecated, and has bugs of it's own (but not as severe). So the supplied patch won't do anything for your 10.5 install. I can only suggest following ESRI's advice in the blog re upgrades etc. Of course upgrading is often easier said than done, depending on your resources.

0 Kudos
BrianParker2
by
New Contributor II
‎12-16-2021 03:25 PM

I have run the mitigation scripts and I they believe worked (removed the class), still not sure of any consequences to removing the lookup. It would be helpful to understand how Apache products are used by ArcGIS Server and how. Is Log4j used for logging in ArcGIS Server perhaps? I just want to understand at least at a high level.

Given the risk in using open source, the dependencies, should in my opinion, be documented.