ArcGIS Enterprise Log4j Vulnerability (CVE-2021-44228) Patch or Mitigation?

The below article helps with data store :  https://support.esri.com/en/Technical-Article/000026949

More questions:

Can anyone to date verify that their system (on-premises base or distributed deployment) has in fact been exploited by this? 

How would we know, what would an exploit look like?

Finally, what is the specific version of python 3.5.x that should be installed on datastore?

To provide an actionable answer to the question of "what does an exploit look like" there are a few quick and easy things that GIS administrators can check in their systems:

• Most adversaries use a different IP to scan than they do to listen for incoming victims machines - tracking listening IPs from known treat actors is far more valuable to than scanning IPs.
• An outbound connection or listening wait from a GIS machine to a known threat actor listening IP may be the easiest IoC to scan for. This can easily be accomplished using NetStat in windows.
• Activity or connection from a GIS machines Java processes that does not conform to regular ESRI implementation parameters such as Java child processes calling wget, curl, or powershell commands. This is another easy IoC review that can be undertaken by GIS administrators.
• Outbound LDAP and RMI and rogue JRMI or LDAP requests to external servers is a little more complex review but can be monitored in real time. If possible after determination if LDAP connections are required on your machines, blocking those connections is a good way to close the door entirely on that vector.
• Scanning for webshells is super important. Webshells are not only an IoC for successful Log4J exploitation they are extremely common in other attacks.
• Scan for and detect payload execution on a machine for post-exploitation activities. Many of these activities will be easily noticed even if endpoint security is not up to date - crypto-currency mining software (one of the most common early post exploit activities) will consume the systems resources. Others that will generate unique signatures include Mirai and BazarLoader.

Let's keep the list going - what else will a successful exploit look like and what are the methods you are undertaking as you mitigate on your systems?

HI All,

Sorry for the lack or recent participation. As you can imagine, we've been heads down with Log4J and other tactical and strategic issues software security issues here at Esri. 

To answer some questions in no particular order:

@ErikLash1 @DavidColey 

Esri has not yet heard from a customer who has been exploited via log4j of any version in any of our software. 

We (Software Security and Privacy) AND the core ArcGIS Enterprise development team used white box testing techniques (walking the source code) while testing these 5 recently logged CVEs and we have not been able to exploit these either. We do not believe that ANY of these log4j issues are exploitable in our software (mitigation by design), but we are nonetheless producing formal patches for all versions in current support status since December 09 2021.

In terms of what an exploit would look like:

An exploit would most likely look like one of the bundled JREs that ship with ArcGIS Enterprise invoking some windows executable - like Javaw.exe --cmd /c c:\path\to\some\exe --some --argument. 

Note that ArcGIS Enterprise (as designed) itself will call some exes by default - like we call (for example) pg_isready to check the health of the internal database. 

If you see a JAVAW instance calling wget or ftp or similar and pulling down a file...that would concern me. 

hello!

If you run the log4shellmitigation script on "arcgisportal-content" catalog the script tells you that it's need patching. Have anyone tried run the script on this catalogs? To be clear, it's not the installationfolders, just the content folders.