Community

Log4J version update?

448
4
02-02-2022 11:35 AM
hkrebs95
by
New Contributor
‎02-02-2022 11:35 AM

Hello all,

I'm just curious if ESRI is planning to include a Log4J version update in any upcoming releases/patches? Our leadership has determined that we cannot leave systems online that have Log4J < 2.17 regardless of whether the system can actually be exploited. I'm hoping with a forecasted patch we can keep our systems online knowing that a fix is coming down the pipeline. 

Thanks so much!

0 Kudos
4 Replies
hkrebs95
by
New Contributor
‎02-02-2022 11:47 AM

Thank you! I have reviewed that in the past. Unfortunately our leadership is being rather tone-deaf to the actual exploitability of the vulnerability and only cares about the version number. I did review our 1560001 plugin out of Nessus and it confirms the JNDI lookup class does not exist. If only that were enough.

0 Kudos
JonEmch
by Esri Regular Contributor
Esri Regular Contributor
‎02-03-2022 08:16 AM

Hey there @hkrebs95, We have put out communication on this here:

https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-software-and-cve-2...

For mitigation efforts and updates. While I cannot comment on version numbers, I know there are efforts underway to address these concerns. Please reach out to our security team here: https://trust.arcgis.com/en/security-concern/ with any additional questions.

Keep on keeping on!
0 Kudos
Oiligriv
by
Occasional Contributor
‎02-04-2022 01:13 AM

ArcGIS Enterprise security patches will be released throughout Q1 2022, with more specific dates posted here as the effort progresses.

 

source: https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-software-and-cve-2...

0 Kudos