javascript •  • 

ArcGIS and Log4j Vulnerabilities

The investigation continues into the Log4j vulnerability (AKA Log4Shell) as CVE-2021-44228 was disclosed on December 9, 2021, and related CVE’s (2021-45046, 2021-4104) were disclosed on December 14, 2021.

Is ArcGIS Software at Risk?

Like many enterprise software packages, ArcGIS server software uses the OpenSource Log4j module - so regardless if exploitable, take all mitigation measures available.

As of writing, no exploits have been identified with ArcGIS products. However, closing the potential vulnerability is still best practice and highly recommended. Errr, this is more than a recommendation - mitigate by patching regardless. Even if you are using the Windows version of ArcGIS Server/Enterprise/Portal, the ArcGIS software uses Java behind the scenes - the Web Adaptor is then used to proxy traffic from Windows IIS to the real GIS server itself. So Linux or Windows, whatever version, fix it.

Props to Esri as they’ve been researching and posting on the situation since the start on their blog. Keep checking their pages as they update daily. At this point, Esri has already posted scripts to help mitigate the threat across many of their server products. This ST article was delayed until now for this reason.

Which Esri Software is Vulnerable?

There are only potential vulnerabilities at this point. Esri currently stated there are no known exploits with ArcGIS products. However, be diligent and take the recommended mitigation measures now.

“No known exploit available for any version of a base ArcGIS Enterprise deployment (including the ArcGIS Server, Portal for ArcGIS, and ArcGIS Data Store components) or stand-alone ArcGIS Server at this time” ~esri blog.

So if you are using ArcGIS server technologies (all 10.x releases), use the links below to start patching.

Software to patch with links to the script downloads and instructions:

Script Success

After going through the workflow, it is pretty straightforward. I successfully ran the --list command with no issues. The only hiccup I had was running the actual --delete command. I was logged in as an Administrator, but I still had to open the Command Prompt with “Run as administrator” for the second execution to work properly. Otherwise, everything went smoothly. Note: It automatically makes backups of the files for you too which is a nice touch.

Now, stop reading, start patching.

Helpful Links

If you found my writing entertaining or useful and want to say thanks, you can always buy me a coffee.