log4j and a ArcGIS 10.8.1 upgrade

470
2
01-28-2022 09:35 AM
forestknutsen1
MVP Regular Contributor

I was under the impression that ArcGIS Enterprise 10.8.1 did not  the vulnerable versions of log4j. This assumption was based off the early mitigation steps from Esri recommending an upgrade to 10.8 or higher (this was the recommendation (posted around 12/13/2021) before the mitigation scripts were released.

https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-software-and-cve-2...

But I see that the mitigation scripts are recommended after an upgrade for all versions.

 

"After upgrading Enterprise do I need to re-run the script again (for example, 10.9 to 10.9.1)

  • Yes"

https://support.esri.com/en/technical-article/000026995

After doing an upgrade to 10.8.1 in our dev environment we reran the scripts and it removed a number of new log4j files. 

 

Do all versions of ArcGIS Enterprise have the vulnerability? Therefore, an upgrade just reinstalls the vulnerable code?

Tags (1)
2 Replies
Brian_Wilson
Occasional Contributor III

I was under that impression too but I think its safer to remove anything flagged by this CERT script instead of relying only on Esri messages.

I needed to soothe BitDefender, which was flagging both 10.8.1 and 10.9 here. BitDefender does not give me anything other than "the problem is in the filesystem" so it was up to me to find which files trigger it.

I ran the script from CERT to search for vulnerabilities everywhere on C:, it flagged all the components of ArcGIS, that is, DataStore, Portal, and Server.

The scanner is here: https://github.com/CERTCC/CVE-2021-44228_scanner.git

The scanner also found some other things unrelated to Esri which I simply uninstalled.

I used the python version because it was short enough to read and understand so I could tell it was not doing anything nefarious. (Likewise the one from Esri) I am always reluctant to download and run code from a github archive without checking it.

I ignored the advice from Esri about what components might or might not be vulnerable/exploitable and used the python script that Esri provided ("log4shellmitigation"), and ran it on each component. 

Now BitDefender (and my network administrator) have calmed down and that's what really matters to me. 

 

0 Kudos
forestknutsen1
MVP Regular Contributor

cool thanks for the information

0 Kudos