, ,

Apache Log4j Vulnerability: Here's what we know

, ,

By now, most everyone in the tech world has heard about the Apache Log4j library vulnerability. While we are experts about all things GIS, we won’t pretend to have all the answers to this problem. However, in the essence of transparency and helping to spread the word, we want to share some general takeaways on what we know and some helpful links for more information.

General Information

Our Big Takeaways

  • Pro is "not known to be exploitable because it does not listen to remote traffic.”

  • Esri is patching ArcGIS Online.

  • Esri has provided Python scripts to mitigate potential vulnerabilities in ArcGIS Enterprise components.

  • Esri reports “there is no known exploit available for any version of a base ArcGIS Enterprise deployment” currently.

CyberSecurity & Infrastructure Security Agency (CISA)

The article below from CISA provides a useful summary of Log4j vulnerability guidance that customers may want to reference in addition to our product specific recommendations.

Apache Log4j Vulnerability Guidance

Esri Software

The vulnerability potentially affects some versions of ArcGIS Enterprise. We strongly recommend immediate mitigating actions in these cases. Please refer to the ArcGIS Blog for the most up-to-date guidance on affected versions and associated mitigations.

Esri recommends that all ArcGIS customers review their blog on the subject:

ArcGIS and Apache Log4j Vulnerabilities

ArcGIS Enterprise Mitigations

Log4Shell mitigation scripts…have been validated for versions 10.6 and above, however they should work on older versions of ArcGIS Enterprise and ArcGIS Server as well.
— Randall Williams, Esri's Software Security and Privacy Team

Out of an abundance of caution, Esri has created Log4Shell mitigation scripts that are strongly recommended to be applied to all installations of ArcGIS Enterprise and ArcGIS Server of any version of the software.  The scripts remove the JndiLookup class which is the only mitigation measure recommended by Apache Log4j that does not require updating the Log4j version. This action fully addresses CVE-2021-44228 and CVE-2021-45046. Watch below as Virginia walks us through running these scripts:

For more help on this and any other ArcGIS Enterprise needs contact us at cloudpointgeo.com/enterprise or call the office at 877.377.8124.