Select to view content in your preferred language

Log4j Vulnerability Question - ArcGIS Server 10.2

541
3
02-21-2022 09:06 PM
NaveenK
Occasional Contributor

Hello Everyone, 

We are currently using retired version of ArcGIS Server 10.2 and soon moving to 10.9.1

I have executed  the mitigation script on the old version with the 'list' option and the scripts does not show me any results as attached. However, when run against latest 10.9.1 version, it gives me a list of files that would be modified.

I would like to know if someone using older version has observed the same behavior with the script ? Also, would like to know if the script will work for older version though it is not validated by Esri.

Thank you

Regards,

Naveen

0 Kudos
3 Replies
Scott_Tansley
MVP Regular Contributor

The reason that the script won't list anything on your old (10.2.x) version is that it was released before Log4J 2.x.

Release date of ArcGIS 10.2.2 - April 15, 2014:  Esri Support ArcGIS Server 10.2 (10.2.1, 10.2.2)

If you're upgrading to 10.9.1, then the old version will be effectively removed, and completely replaced by 10.9.1.  Then there is only a need to run the scripts on the new version anyway.

I hope this helps.  

Release date of log4j 2.x - July 2014:  Log4j - Wikipedia

 

 

Scott Tansley
https://www.linkedin.com/in/scotttansley/
NaveenK
Occasional Contributor

Thanks Scott. Any idea on the version of log4j is used in ArcGIS server 10.2.x versions?

Regards,

Naveen

0 Kudos
Scott_Tansley
MVP Regular Contributor

It would have been the 1.x libraries, which were replaced because of a different security vulnerability altogether.  I no longer have access to anything that is older than 10.6.1 as it's just too legacy, so I can't do anything to check sorry.  I just strongly recommend you get away from 10.2.x as quickly as possible.

Scott Tansley
https://www.linkedin.com/in/scotttansley/
0 Kudos