Select to view content in your preferred language

ArcGIS Enterprise Log4j Vulnerability (CVE-2021-44228) Patch or Mitigation?

57162
162
Jump to solution
12-11-2021 09:13 AM
Carl_Flint
Occasional Contributor

Good afternoon, is there any patches in the works or potential mitigation steps for the latest java log4j vulnerability (CVE-2021-44228)?  I know that GeoEvent server uses log4j and can assume some other enterprise server's or portal potentially do as well.  Any help would be appreciated in resolving this zero-day.

Thanks,

Carl Flint, GISP
162 Replies
BrianParker2
Emerging Contributor

I had a question about the risk. Based on what I can find out, the risk would only apply to externally facing LDAP and other JNDI related endpoints? applications such as GeoEvent Server, GIS Portal or Geoportal implementations?

Internal implementations of ArcGIS Server or even External implementations that don't use Active DIrectory, from what I can tell, should be risk free. Is this correct?

0 Kudos
MichaelDavis3
Frequent Contributor

See this link for details: https://blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2021-44228/

Essentially someone can trigger a URL and download a payload if Log4j has access to the internet. The application doesn't have to have anything to do with LDAP it's just a way to trigger the URL.  

With a : present in the key, as in Example Removed to get through ESRI WAF there’s no prefix and the LDAP server is queried for the object. And these Lookups can be used in both the configuration of Log4j as well as when lines are logged.

So all an attacker has to do is find some input that gets logged and add something like  Example Removed to get through ESRI WAF. This could be a common HTTP header like User-Agent(that commonly gets logged) or perhaps a form parameter like username that might also be logged.

 

0 Kudos
Pei-SanTsai
Regular Contributor

Question regarding ArcGIS Pro, "Recent releases of ArcGIS Pro contain Log4j but are not known to be exploitable as the software does not listen for remote traffic."  What version is the Log4j on ArcGIS Pro 2.9?  I just updated my ArcGIS Pro on my server and checked the file that I have "log4j-1.2.17.jar" version.  Could I interpreted as ArcGIS Pro doesn't listen remote traffic, so shouldn't be an issue if I have an older version of log4j?

I'm on ArcGIS Enterprise 10.8.1, in place upgrade last October.  I have log4j-1.2.17.jar version and someone mentioned 10.8.1 is shipped with log4j-2.x.  Wondering if this wasn't updated during the upgrade?

0 Kudos
ToddCopeland
Emerging Contributor

Hi Randall,

Does the current mitigation script address this vulnerability in the ArcGIS web adaptors?

Thanks,

Todd

0 Kudos
RandallWilliams
Esri Regular Contributor

The web adaptor is not exploitable. The Java web adaptor contains log4j-api-[version#].jar, which is not impacted by this issue.

ToddCopeland
Emerging Contributor

Thank you for the update @RandallWilliams!

0 Kudos
TonyCollins
Regular Contributor

Just in case this helps anyone else, we successfully run the mitigation script today against Enterprise 10.8 hosted in Azure deployed using Cloud Builder.

Thank you for all the work getting the script together so quickly. 

0 Kudos
RobertWetmore
Emerging Contributor

A scan, after running the script for ArcGIS\Server, ArcGIS\Portal and ArcGIS\DataStore still shows this present in our install:

C:\arcgis\arcgisportal\dsdata\elasticsearch_7.3.0\lib\log4j-core-2.11.1.jar

can this simply be deleted?

 

0 Kudos
RandallWilliams
Esri Regular Contributor

The scripts don't delete log4j*.jar - they delete the jndilookup.class from inside the .jar. 

0 Kudos
LaurensGIS
Occasional Contributor

You made the same mistake I did. You missed step 8: https://support.esri.com/en/Technical-Article/000026950

So you also have to run the script on this directory c:\arcgis\arcgisportal