ArcGIS Enterprise Log4j Vulnerability (CVE-2021-44228) Patch or Mitigation?

32418
162
Jump to solution
12-11-2021 09:13 AM
Carl_Flint
New Contributor III

Good afternoon, is there any patches in the works or potential mitigation steps for the latest java log4j vulnerability (CVE-2021-44228)?  I know that GeoEvent server uses log4j and can assume some other enterprise server's or portal potentially do as well.  Any help would be appreciated in resolving this zero-day.

Thanks,

Carl Flint, GISP
1 Solution

Accepted Solutions
RandallWilliams
Esri Regular Contributor

Our current statement is available on https://trust.arcgis.com. Look for more updates as this issue evolves. 

View solution in original post

Tags (2)
162 Replies
IngaPlayle1
New Contributor II

I'm also waiting to hear any news from ESRI about this. 

JoshuaBixby
MVP Esteemed Contributor

A quick filesystem search on a stand-alone ArcGIS Server installation shows numerous components using log4j.  This won't just be about patching a file, but lots of files involving multiple components of multiple products.  A not-so-happy holidays for Esri dev teams.

AndresEcheverri
New Contributor III

Really interested on this topic too. 

JohnBrockwell
Occasional Contributor III

I found it here on my Portal for ArcGIS server:

E:\arcgisportal\upgrade-backup\10.5.1\dsdata\elasticsearch_2.3.2\lib

 

File Name:

apache-log4j-extras-1.2.17.jar

 

The file is located in a 10.5.1 backup folder. I am currently running 10.8.1. Does it matter?

 

 

 

0 Kudos
RandallWilliams
Esri Regular Contributor

Sorry for the delayed reply. I see what you're saying, we made a backup when you upgraded. That's a backup in case your upgrade failed and you needed to bail out. I'd maybe archive it on an offline drive and just delete that directory.

0 Kudos
ALLANGILLIS
New Contributor

That version of Log4J is not affected.  Only versions 2.0 - 2.14.1

https://www.zdnet.com/article/log4j-zero-day-flaw-what-you-need-to-know-and-how-to-protect-yourself/

 

0 Kudos
OmerBen-Asher
New Contributor III

also interested 

0 Kudos
Scott_Tansley
Regular Contributor

Following.  Thanks for raising.  

Scott Tansley
Consulting Architect (ArcGIS Enterprise)
https://www.linkedin.com/in/scotttansley/
0 Kudos
MarkusRuottinen
New Contributor II

Also following.

 

0 Kudos