Security scan on fully patched 10.9 Enterprise (Linux) shows log4j and other vulnerabilities

822
2
Jump to solution
09-14-2022 06:39 AM
Jay_Gregory
Occasional Contributor III

We have a fully patched 10.9 Enterprise system (Portal, DataStore, Server, GeoEvent), but security scans (Nessus Scanners from Tenable) results in some high log4j and Tomcat vulnerabilities.  Security team is saying we need to remediate or upgrade.  I believe the machines originally had 10.7 or 10.8 and have been upgraded a couple times.  

Curious if folks have had experience with this.  My only thought is that upgrades and patches do not delete old jar files, and the security scans are just looking at version numbers.  I know that old directories sometimes do not get deleted from doing some upgrades myself, but have never heard of a false positive for security vulnerabilities as an unintended result.  

Tags (3)
1 Solution

Accepted Solutions
JeffSmith
Esri Contributor

I reviewed the attached spreadsheet and based on that, it appears the Nessus Scanners from Tenable are only inspecting the filename.  I'm a bit surprised by that.  I would have expected more in-depth examinations by the scanner.  If you use another scanner like Logpresso, you should be able to confirm the log4j jars are patched.

You are correct about how the patch handled the log4j jars files.  For the log4j 1.x jars, the version was not changed but the vulnerable classes within the jar were removed (this includes the JMSAppender class).  For the log4j 2.x jars, they were updated to version 2.17.1.  Any log4j 2.x jars with the version as part of the filename were not deleted but all classes inside were removed.  This was done to avoid potential conflicts with the patching process.

View solution in original post

2 Replies
JeffSmith
Esri Contributor

I reviewed the attached spreadsheet and based on that, it appears the Nessus Scanners from Tenable are only inspecting the filename.  I'm a bit surprised by that.  I would have expected more in-depth examinations by the scanner.  If you use another scanner like Logpresso, you should be able to confirm the log4j jars are patched.

You are correct about how the patch handled the log4j jars files.  For the log4j 1.x jars, the version was not changed but the vulnerable classes within the jar were removed (this includes the JMSAppender class).  For the log4j 2.x jars, they were updated to version 2.17.1.  Any log4j 2.x jars with the version as part of the filename were not deleted but all classes inside were removed.  This was done to avoid potential conflicts with the patching process.

Jay_Gregory
Occasional Contributor III

Thank you @JeffSmith.  This is incredibly helpful!

0 Kudos