ArcGIS Enterprise Log4j Vulnerability (CVE-2021-44228) Patch or Mitigation?

Carl_Flint · ‎12-11-2021

Good afternoon, is there any patches in the works or potential mitigation steps for the latest java log4j vulnerability (CVE-2021-44228)? I know that GeoEvent server uses log4j and can assume some other enterprise server's or portal potentially do as well. Any help would be appreciated in resolving this zero-day.

Thanks,

Carl Flint, GISP

MullaiManickavalli · ‎12-15-2021

Thanks to this author, https://www.studytonight.com/post/solved-getting-error-while-executing-a-sh-file-binbashm-bad-interp...

BrianParker2 · ‎12-15-2021

I ran this patch and worked on the first file but failed on the second. My file list is below. My question is - Can I copy the 1st file into the other directories on the list?

D:\Program Files\ArcGIS\Server\framework\lib\shared\log4j-core-2.11.1.jar -----
D:\Program Files\ArcGIS\Server\tools\configurebasedeployment\lib\log4j-core.jar
D:\Program Files\ArcGIS\Server\tools\createsite\lib\log4j-core.jar
D:\Program Files\ArcGIS\Server\tools\upgradebasedeployment\lib\log4j-core.jar
D:\Program Files\ArcGIS\Server\tools\upgradeserver\lib\log4j-core.jar

JohnGibson2 · ‎12-15-2021

Hi Brian, I initially found the same problem as you when running the script against a 10.8.1 Server install on Windows. As a workaround I first manually backed up the listed 5 .jar files into separate subdirs to ensure I saved the right ones.

I then modified the Py script by commenting out #backup(jar_path) at line 56. I then reran the script using CMD as administrator & it worked fine. I was probably just missing some permissions on my admin account or something. Thanks to ESRI for pushing out this script so quickly.

BillFox · ‎12-15-2021

ditto, CMD as administrator

BrianParker2 · ‎12-15-2021

Thanks John,

I was trying to use the the ArcGIS Server “run as” account approach mentioned in the Preparation. Once I went with Administrator everything worked.

TonyCollins · ‎12-15-2021

Good Afternoon,

Thank you for all your hard work on this so far.

On the information page it states the following:

'Out of an abundance of caution, Esri has created Log4Shell mitigation scripts that are strongly recommended to be applied to all installations of ArcGIS Enterprise and ArcGIS Server of any version of the software.'

Also

'Customers are strongly encouraged to use the supplied scripts rather than waiting for additional patch availability.'

We have a single-machine deployment of ArcGIS Enterprise 10.8 hosted in Azure that was deployed using the Cloud Builder application.

Could I please ask if the Esri created Log4Shell mitigation scripts will work on this deployment and if Esri also recommends this?

Many thanks

RandallWilliams · ‎12-15-2021

A. Yes, do it.

B. Upgrade to 10.8.1 and install all the other security patches we've released this year.

TonyCollins · ‎12-15-2021

Thank you so much for your prompt reply @RandallWilliams

So can/should this be run before the 10.8.1 upgrade?

We had a real tough time getting the actual Cloud Builder install to work. It had a bug where it crashed half way through and then needed to be re-run to complete. I think this was due to the installation taking longer than was allowed by the Azure ARM templates.

Consequently I am very wary/worried of performing the upgrade. Does this reconfigure any other Azure resources or is the installation work performed solely on the VM if it's an upgrade?

Thanks for any help

RandallWilliams · ‎12-15-2021

I'll follow up with you.

JimSahlie · ‎12-15-2021

Our Datastore servers do not have Python runtime installed like the Server and Portal machines do. What is the most expedient way to install Python in order to run the security patch on the Datastore machines?