Community
Select to view content in your preferred language

ArcGIS Enterprise Log4j Vulnerability (CVE-2021-44228) Patch or Mitigation?

50177
162
Jump to solution
12-11-2021 09:13 AM
Carl_Flint
by
New Contributor III
‎12-11-2021 09:13 AM

Good afternoon, is there any patches in the works or potential mitigation steps for the latest java log4j vulnerability (CVE-2021-44228)?  I know that GeoEvent server uses log4j and can assume some other enterprise server's or portal potentially do as well.  Any help would be appreciated in resolving this zero-day.

Thanks,

Carl Flint, GISP
162 Replies
IngridMans
by
Occasional Contributor II
‎12-22-2021 01:18 PM

I'd like more documentation/guidance for installing python on the Datastore machine. I don't see a python download on MyEsri and going directly from the Python website there's lots of versions to choose from. Our deployment has Datastore on a separate machine from Portal or Server, so no python installed. 

0 Kudos
JimSahlie
by
New Contributor II
‎12-22-2021 03:56 PM

Hi Ingrid, I downloaded and installed 3.10.1 for Windows from the Python.org website.   I did a minimal install on the Datastore machines and it worked perfectly.

https://www.python.org/ftp/python/3.10.1/python-3.10.1.exe

0 Kudos
IngridMans
by
Occasional Contributor II
‎12-28-2021 06:40 AM

After installation is there anything special required for environment setup? And did you install under the user account or elsewhere on the machine? I ran into some issues with cmd recognizing the python.exe inputs. I think I saw another post elsewhere in this thread about installing ArcGIS Pro just to get Python setup...

0 Kudos
PhilipOrlando
by
New Contributor III
‎12-12-2021 01:11 PM

Following.

0 Kudos
by Anonymous User
Not applicable
‎12-12-2021 10:27 PM

Hi

we use some older installs of ArcGIS Server (10.3.1 and 10.6.1). Scanning the install for log4j shows only older versions of log4j under C:\Program Files\ArcGIS\Server\framework dated 2005 and with version 1.2.12 in the manifest. I could not find any reference to the class or function names cited in the CVE-2021-44228 advisory. My initial thought is that these versions of ArcGIS Server do not use log4j v2 and may not be vulnerable as a result.

I used this command from CMD using the Java SDK utility jar.exe to list the Java classes :

C:\Program Files\ArcGIS\Server\framework>forfiles /S /M *.jar /C "cmd /c jar -tvf @file | findstr /C:"log4j" && echo @path" > C:\Temp\log4j_info.txt 

(see https://www.windows-commandline.com/search-classes-in-jar-file/)

Unzipping a copy of a Jar file (rename & unzip) shows the version in the manifest.mf file

Regards

John

AdrianMarsden
by
Regular Contributor II
‎12-13-2021 04:22 AM

looking at my servers, some have log4j 2.x, some don't - I realize it is still early on this, but an exact matrix of what does and doens't have this would be really useful.

 

SPisOs
by
New Contributor II
‎12-13-2021 05:29 AM

I am on ArcGIS Server 10.6.1 

I have found this Jar, which I think is affected :

"C:\Program Files\ArcGIS\Server\framework\lib\shared\log4j-core-2.8.2.jar"

Following the suggestions from

https://blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2021-44228/

I am going to delete from that Jar:

org/apache/logging/log4j/core/lookup/JndiLookup.class

 I am also going to add the System environment variable

LOG4J_FORMAT_MSG_NO_LOOKUPS=true

Then reboot

Question: Are there any other Jars to fix or reconfigure?

JohnGibson2
by
New Contributor II
‎12-13-2021 01:21 PM

The utility available at GitHub - logpresso/CVE-2021-44228-Scanner: Vulnerability scanner and mitigation patch for Log4j2 CVE... looks like a useful check.

Using the utility on ArcGIS Server 10.3.1 (Server only, no extensions) on Windows Server lists no vulnerabilities.

Using the utility on ArcGIS Server 10.6.1 (Server only, no extensions) on Windows Server lists the following issues :

C:\Users\bloggsj>D:\Temp\Utilities\log4j2-scan.exe "C:\Program Files\ArcGIS"
[*] Found CVE-2021-44228 vulnerability in C:\Program Files\ArcGIS\Server\framework\lib\shared\log4j-core-2.8.2.jar, log4j 2.8.2
[*] Found CVE-2021-44228 vulnerability in C:\Program Files\ArcGIS\Server\tools\configurebasedeployment\lib\log4j-core.jar, log4j 2.8.2
[*] Found CVE-2021-44228 vulnerability in C:\Program Files\ArcGIS\Server\tools\createsite\lib\log4j-core.jar, log4j 2.8.2
[*] Found CVE-2021-44228 vulnerability in C:\Program Files\ArcGIS\Server\tools\upgradebasedeployment\lib\log4j-core.jar, log4j 2.8.2
[*] Found CVE-2021-44228 vulnerability in C:\Program Files\ArcGIS\Server\tools\upgradeserver\lib\log4j-core.jar, log4j 2.8.2

Scanned 5264 directories and 45936 files
Found 5 vulnerable files
Completed in 22.24 seconds

Regards

John

ErikLash1
by
Occasional Contributor
‎12-13-2021 03:15 PM

Ran the Github check:

10.9.1 GIS Server ships with log4j 2.14.1. Have not checked other components in 10.9.1
10.8.1 Enterprise has a mix including 2.11.1

ESRI public release states (for 10.8.x and up) that "You will still see vulnerable Log4j version numbers on these systems, however it is not exploitable as their Java Runtime Environments (JRE) do not execute the code."

Be careful with logic when thinking that 10.3.1 and other older versions with 1.x are not vulnerable simply because not popping in the check.

From Apache for those on older/EOL Enterprise: Please note that Log4j 1.x has reached end of life and is no longer supported. Vulnerabilities reported after August 2015 against Log4j 1.x were not checked and will not be fixed.

Hope this helps.

JohnGibson2
by
New Contributor II
‎12-13-2021 03:22 PM

Good point about 10.3.1, thanks Erik. ArcGIS Servers (v.10.3.1) use log4j v1.2.12 which is however vulnerable to some much older but lesser issues - see https://logging.apache.org/log4j/1.2/. This has a threat score CVSS of 7.5 and this threat has been around for many years. There is no fix.