I'm just curious if ESRI is planning to include a Log4J version update in any upcoming releases/patches? Our leadership has determined that we cannot leave systems online that have Log4J < 2.17 regardless of whether the system can actually be exploited. I'm hoping with a forecasted patch we can keep our systems online knowing that a fix is coming down the pipeline.
Thanks so much!
Thank you! I have reviewed that in the past. Unfortunately our leadership is being rather tone-deaf to the actual exploitability of the vulnerability and only cares about the version number. I did review our 1560001 plugin out of Nessus and it confirms the JNDI lookup class does not exist. If only that were enough.
Hey there @hkrebs95, We have put out communication on this here:
For mitigation efforts and updates. While I cannot comment on version numbers, I know there are efforts underway to address these concerns. Please reach out to our security team here: https://trust.arcgis.com/en/security-concern/ with any additional questions.
ArcGIS Enterprise security patches will be released throughout Q1 2022, with more specific dates posted here as the effort progresses.