ArcGIS Enterprise Log4j Vulnerability (CVE-2021-44228) Patch or Mitigation?

Carl_Flint · ‎12-11-2021

Good afternoon, is there any patches in the works or potential mitigation steps for the latest java log4j vulnerability (CVE-2021-44228)? I know that GeoEvent server uses log4j and can assume some other enterprise server's or portal potentially do as well. Any help would be appreciated in resolving this zero-day.

Thanks,

Carl Flint, GISP

RandallWilliams · ‎12-16-2021

https://www.esri.com/en-us/legal/requirements/open-source-acknowledgements

JoseManalang · ‎12-16-2021

Carl,

I am with the USGS Dept.. do you have any resolution and response for the Log4J vulnerability (CVE-2021-44228) please reply....

Carl_Flint · ‎12-16-2021

Jose,

The post marked solution by @RandallWilliams has a link to the ESRI blog post with the relevant information on how to mitigate the issue.

Carl Flint, GISP

RandallWilliams · ‎12-16-2021

See the advisory on https://trust.arcgis.com

andysp · ‎12-16-2021

I've reviewed this thread and am looking at the current advice to run mitigation scripts to remove JndiLookup.class files. I have not seen any discussion of potential adverse effects. Is there a downside of removing the JndiLookup.class files? Will we lose functionality (if so, what)? Or are they simply unused in ArcGIS products?

RandallWilliams · ‎12-16-2021

Apache corrected this issue in Log4J in v 2.15 by disabling JNDILookup. In prior versions, it was enabled by default. There are no adverse effects we've seen by removing these classes. Removing these classes is a mitigation endorsed by Apache.

https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228

BrianFausel · ‎12-17-2021

When I download the "log4shellmitigation" python script I am not seeing the same Windows hash # that is listed in the How To instructions for ArcGIS Server. Has the hash # been changed and this document is out of date? Last updated on 12/16, today is 12/17. I cleared my cache and tried other browsers, as suggested in the How To.

Aaron-L · ‎12-17-2021

The hash provided is for the zip file and not the python script. The zip file hash appears to match for me.

BrianFausel · ‎12-17-2021

Thanks for clarifying. When I ran it against the zip the hash matches for me as well.

berniejconnors · ‎12-17-2021

We have applied the mitigation script to our DEV, TEST, and PROD systems. We are running ArcGIS Server 10.7.1 and we have 4 server VMs and 2 web adaptor VMs in PROD. The mitigation went flawlessly until PROD. To avoid interuption in service we applied the mitigation one server at a time but I think we moved too quickly between the PROD servers. The ArcGIS Server service was not fully restored on Server A when we stopped the service on the Server B and this caused our web adaptors to lose connection to their config file. The config files for the web adaptors are stored on the first two ArcGIS Server VMs. Web adaptor A gets its config from Server A and Web adaptor B gets its config from Server B. I beleive for a short time neither web adaptor had access to its config file and both web adaptor VMs malfunctioned and took all of our services offline. Restarting the web adaptors and the servers cleared up the problem. Unfortunately that took nearly one hour to coordinate with our server admin team. Today the servers are running smoothly and we cannot detect any difference in behaviour or performance.