Latest Contributions by RandallWilliams

We’re in the process of finalizing our review if this new CVE. We also provided a significant update to our advisory on the Trust center today. ... View more

@Anonymous User It changed December 15. Subscribe to the RSS feed on the ArcGIS Trust Center.   ... View more

@RobertDarlow I can provide clarity.  On Friday, Dec 10 (when this issue broke) the guidance provided by Apache indicated that apps that use Java 8.0.121+ were protected by built in protections in java that prevented the deserialization and execution of remote code. They also indicated that an environment variable would mitigate. Researchers quickly discredited those mitigation measures, so we removed them from our guidance. As you can tell, this is still an evolving situation - Apache released Log4J 2.17 Friday, December 17.    Run the scripts and check the advisory.  ... View more

We are aware of this new issue and are investigating. I'm not yet sure we set those non-default patterns and if we do, where.  ... View more

This isn't related to the Log4j scripts we've provided. I've seen something similar. Try restarting the datastore service. I believe there's a bug out there support logged.  ... View more

Look for an update in our advisory re: PRO today.  FWIW: Our response has initially focused first on what's most at risk and cascades from there. We are now moving to make statements regarding what's less at risk.  ... View more

@LaurensGIS Please open a case with Esri Support. We haven't yet seen an issue that is directly caused by this script - it only modifies Log4J files. We did test these script extensively before we released them.  ... View more

@SaraSiskavich There is a WAF guide on https://trust.arcgis.com. It's been updated in response to this issue. It's under the documents tab - in the customer-only docs tile. You need to sign in w/ your ArcGIS account to access. ... View more

See the advisory on https://trust.arcgis.com ... View more

https://www.esri.com/en-us/legal/requirements/open-source-acknowledgements ... View more

Apache corrected this issue in Log4J in v 2.15 by disabling  JNDILookup. In prior versions, it was enabled by default. There are no adverse effects we've seen by removing these classes. Removing these classes is a mitigation endorsed by Apache.   https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228 ... View more

100%. Let's keep it real: Customers are (rightly) asking questions about a severe, media hyped vulnerability.  But what are customers doing to address the OTHER severe, NON-media hyped vulnerabilities we've patched in accordance with our product life cycle (where patches aren't available for software (like 10.5.x) in mature support)? Esri has released 24 CVEs since becoming a CNA this year. There will be more early next year. None of the patches for these CVEs target software in mature support.     ... View more

I'll follow up with you. ... View more

Sorry for the delayed reply. I see what you're saying, we made a backup when you upgraded. That's a backup in case your upgrade failed and you needed to bail out. I'd maybe archive it on an offline drive and just delete that directory. ... View more

@Anonymous User  While we didn't test versions lower than 10.6.1 because they are so out of date, the script provided should work and you should use it.  Then you should upgrade and install all the security patches you've missed out on over the last few years. ... View more