ArcGIS and Log4j Vulnerabilities

The investigation continues into the Log4j vulnerability (AKA Log4Shell) as CVE-2021-44228 was disclosed on December 9, 2021, and related CVE’s (2021-45046, 2021-4104) were disclosed on December 14, 2021.

Article updated January 23, 2022: Added links to more software instructions (Workflow and GeoEnrichment Servers) and a Related Technologies section.

Is ArcGIS Software at Risk?

Like many enterprise software packages, ArcGIS server software uses the OpenSource Log4j module - so regardless if exploitable, take all mitigation measures available.

As of writing, no exploits have been identified with ArcGIS products. However, closing the potential vulnerability is still best practice and highly recommended. Errr, this is more than a recommendation - mitigate by patching regardless. Even if you are using the Windows version of ArcGIS Server/Enterprise/Portal, the ArcGIS software uses Java behind the scenes - the Web Adaptor is then used to proxy traffic from Windows IIS to the real GIS server itself. So Linux or Windows, whatever version, fix it.

Props to Esri as they’ve been researching and posting on the situation since the start on their blog. Keep checking their pages as they update daily. At this point, Esri has already posted scripts to help mitigate the threat across many of their server products. This ST article was delayed until now for this reason.

Which Esri Software is Vulnerable?

There are only potential vulnerabilities at this point. Esri currently stated there are no known exploits with ArcGIS products. However, be diligent and take the recommended mitigation measures now.

“No known exploit available for any version of a base ArcGIS Enterprise deployment (including the ArcGIS Server, Portal for ArcGIS, and ArcGIS Data Store components) or stand-alone ArcGIS Server at this time” ~esri blog.

So if you are using ArcGIS server technologies (all 10.x releases), use the links below to start patching.

Software to patch with links to the script downloads and instructions:

Script Success

After going through the workflow, it is pretty straightforward. I successfully ran the --list command with no issues. The only hiccup I had was running the actual --delete command. I was logged in as an Administrator, but I still had to open the Command Prompt with “Run as administrator” for the second execution to work properly. Otherwise, everything went smoothly. Note: It automatically makes backups of the files for you too which is a nice touch. Update: instruction pages do explain the admin access in more detail now.

Now, stop reading, start patching.

Related Technologies

Related technology/software notes (added Jan 06, 2022 from Esri blog updates):

ArcGIS Notebook Server: The underlying framework does not contain or for 10.7x does NOT include the vulnerable JMSAppender class. The Docker container image contains Log4j, however for a person to be able to execute the component they would need to be granted permissions to the notebook container, so Log4j does not present additional RCE risk in this configuration. A patch will be made available in the future regardless.
ArcGIS Online: Esri continues to perform patching of ArcGIS Online systems including some updates with the latest log4j version of 2.17 and is continuing to evaluate the CVE as well as all relevant third-party fixes as they become available.
Esri Managed Cloud Services: EMCS Advanced and Advanced+ have implemented web filter mitigations for Log4j vulnerabilities and have applied the scripts that remove the JNDILookup class to all affected systems.
ArcGIS Monitor: Does not contain Log4j
ArcGIS Pro: All ArcGIS Pro versions under General Availability support contain Log4j, but are not known to be exploitable as the software does not listen for remote traffic.
Esri Geoportal Server: This open source product was updated to version 2.65 on Dec 17th to resolve Log4j issues, please upgrade to this latest release.