Normal (?) behavior for ArcGIS server?

706
2
Jump to solution
01-06-2022 09:07 AM
HannahKrebs
New Contributor

Hello All,

My organization's McAfee AV is flagging a process as suspicious for Log4J exploitation. This is on a server with ArcGIS server 10.8.1 installed. The command in question is:

cmd.exe /c .\bin\pg_isready -h localhost -p 9876 -d <db> -U <user>

The source path C:\Program Files\ArcGIS\DataStore\framework\runtime\jre\bin\java.exe.

From what I can tell this is a normal PostgreSQL db check, but I need to confirm for higher ups that this is expected behavior and not an actual exploit attempt. Does anyone know if this is quote-unquote normal?

Thanks so much.

1 Solution

Accepted Solutions
JonEmch
Esri Regular Contributor

Hey there Hannah, thank you for posting. I would like to point you to our blog on this o-day found here: ArcGIS and Apache Log4j Vulnerabilities.

In it, our security team mentions that:

"Several ArcGIS Enterprise components contain the vulnerable log4j library, however there is no known exploit available for any version of a base ArcGIS Enterprise deployment (including the ArcGIS Server, Portal for ArcGIS, and ArcGIS Data Store components) or stand-alone ArcGIS Server at this time."

We are aware of the log4j file at the location you posted, and the mitigating scripts in that blog should remove them. If you have any questions, please reply to me or reach out to our trust center: https://trust.arcgis.com/en/

Keep on keeping on!

View solution in original post

2 Replies
JonEmch
Esri Regular Contributor

Hey there Hannah, thank you for posting. I would like to point you to our blog on this o-day found here: ArcGIS and Apache Log4j Vulnerabilities.

In it, our security team mentions that:

"Several ArcGIS Enterprise components contain the vulnerable log4j library, however there is no known exploit available for any version of a base ArcGIS Enterprise deployment (including the ArcGIS Server, Portal for ArcGIS, and ArcGIS Data Store components) or stand-alone ArcGIS Server at this time."

We are aware of the log4j file at the location you posted, and the mitigating scripts in that blog should remove them. If you have any questions, please reply to me or reach out to our trust center: https://trust.arcgis.com/en/

Keep on keeping on!
HannahKrebs
New Contributor

Excellent, thank you so much for the quick response!