Good afternoon, is there any patches in the works or potential mitigation steps for the latest java log4j vulnerability (CVE-2021-44228)? I know that GeoEvent server uses log4j and can assume some other enterprise server's or portal potentially do as well. Any help would be appreciated in resolving this zero-day.
Thanks,
Solved! Go to Solution.
ArcGIS Enterprise base deployment shows more then 50 affected .jar files (Esri and 3rd party like Elasticsearch).
Looking forward to any updates/patches/support.
Cheers
Kai
Hi
Do you know is it possible to set environment variables which ArcGIS Server uses in windows server.?
I ask this because https://logging.apache.org/log4j/2.x/security.html says: "Mitigation: In releases >=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. "
I just ask, I don't know is this correct solution.
Br
Markus
Do we have any updates on this? Do we have to shutdown the portal and server services as a precaution?
Our current statement is available on https://trust.arcgis.com. Look for more updates as this issue evolves.
Hi Randall,
the statement does not make clear a couple of important points:
- does 10.9.1 version definitevely solves the problem ?
- is the problem only for ArcGIS Enterprise JAVA version or also for .Net one ?
Thanks
Gianni
the blog says "mitigated" with 10.9 - "to make (something) less severe, harmful, or painful. "
Hi Adrian,
the mitigation statement is for 10.8.1 version, while regarding 10.9 it says "We recommend updating to the latest version of 10.9.1 for the strongest security posture" and I can't figure out if it's a solution or just a generic recommendation.
Gianni
I read it differently
Upgrade to ArcGIS Enterprise 10.8 or later, as risk is mitigated with these versions – We recommend updating to the latest version of 10.9.1 for the strongest security posture.
so version 10.8 and above "mitigate" and of course 10,9 will always be best
10.9 is not ideal as 10.9 is a 'short release'. it would have to be 10.9.1
How do I check the Log4j Vulnerability to my current system? As I am currently using ESRI Enterprise 10.4