ArcGIS Enterprise

ArcGIS and Apache Log4j Vulnerabilities

Initial Post 12/12/21 – Last Updated 9/8/22

Esri investigated the impact of the following Log4j library vulnerabilities as some Esri products contain this common logging tool:

This bulletin contains the latest information about Esri products and will be updated if necessary.

The Joint Cybersecurity Advisory, representing cybersecurity organizations around the globe, provides a useful summary of Log4j vulnerability mitigation guidance that customers may want to reference in addition to our product specific recommendations.  Two aspects your organization should consider implementing are alerting and blocking mechanisms for this issue.  To help ease implementing the recommended blocking mechanism of a Web Application Firewall (WAF) with Esri products, we have a Web Application Filter Rules guide located within the customer accessible documents area of the ArcGIS Trust Center.

Note that our mitigation measures are in alignment with Emergency Directive 22-02 Mitigate Apache Log4 Vulnerability.

ArcGIS Enterprise

Several ArcGIS Enterprise components contain the vulnerable log4j library, however there is no known exploit available for any version of a base ArcGIS Enterprise deployment (including the ArcGIS Server, Portal for ArcGIS, and ArcGIS Data Store components) or stand-alone ArcGIS Server at this time.

Esri has evaluated the potential impact of CVE-2021-45105, an infinite recursion denial-of-service attack against Log4j, in Portal for ArcGIS, ArcGIS Server, and ArcGIS Data Store and determined that those software components do not use the pattern layouts necessary for attackers to exploit the vulnerability.

Out of an abundance of caution, Esri initially created Log4Shell mitigation scripts, subsequently released patches, and more recently has introduced new product versions.  We recognize some customers have rigorous requirements concerning Log4j 2.x vs Log4j 1.x components on their systems and highlight our treatment for each below.

ArcGIS Enterprise 11.0 base deployment (Recommended)

Object Store
–     
Not installed by default for new Enterprise deployments, except for ArcGIS Enterprise Builder deployments on Windows
–      Will be installed when upgrading from earlier versions
–      If desired, it can be uninstalled via Apps & Features in Windows

Internal logger
–      If desired, the .jar file can be removed (deleted) without effect on application security or functionality
–      Location: \ArcGIS\DataStore\framework\webapps\arcgis#datastoreadmin\WEB-INF\lib\log4j-1.2.17-patched.jar

Patches for ArcGIS Enterprise

Notes:

ArcGIS Online

Though a Log4j exploit has not been identified for ArcGIS Online, out of an abundance of caution, patching and updates were completed to eliminate the vulnerable code from this FedRAMP authorized SaaS offering.

Esri Managed Cloud Services

EMCS Advanced and Advanced+ have implemented web filter mitigations for Log4j vulnerabilities. We have applied the scripts that remove the JNDILookup class to all affected systems as recommended in this announcement.

ArcMap

Does not include Log4j and is therefore not vulnerable to these CVE’s.  See Desktop Extensions section if utilizing optional, separate install extensions.

ArcGIS Monitor

Does not contain Log4j and is therefore not vulnerable to these CVE’s.

ArcGIS Pro

All ArcGIS Pro versions under General Availability support contain Log4j, but are not known to be exploitable as the software does not listen for remote traffic.

ArcGIS Pro Data Interoperability Extension

ArcMap Data Interoperability Extension

License Manager

This product utilizes components from Flexera, and Esri does NOT include the vulnerable example files referenced by Flexera in their Log4j statement. Log4j is not included with Esri’s License Manager and is therefore NOT vulnerable to the CVE’s in this announcement.

Esri Geoportal Server

This open source product was updated to version 2.65 on Dec 17th to resolve Log4j issues, please upgrade to this latest release.


Security Scanner False Positives

A number of third-party components that include Log4j as a dependency will have Log4j filenames containing the version of the third-party component which a scanner may detect as a vulnerable Log4j version despite using the latest Log4j version. Frequently, the third-party component name is appended in front of the Log4j filename which can help false positive identification efforts.

Log4j 1.x bridge filenames frequently contain Log4j-1.2 as part of the filename and may mistakenly be identified as Log4j 1.x code. Using the Log4j 1.x Bridge is a widely accepted mitigation of Log4j 1.x concerns and described by Apache here.  Until third-party components we utilize move their supported offering to Log4j 2.x, we will continue utilizing the Bridge to ensure risks are mitigated.  Frequently, Log4j 1.x Bridge filenames match the pattern Log4j-1.2-api-2.17.1, where 2.17.1 is the actual version of the code used for the Bridge, which can help false positive identification efforts.

Bottomline, several security scanners by default perform rudimentary validation of Log4j security issues resulting in false positive critical alerts even after Esri’s patches are applied or latest product versions are utilized.  To avoid false positives, make sure the scanner is appropriately configured and ensure your team is looking at the right location/plugin results – or just use a simpler, purpose-built security tool to validate and provide your security team the assurance the issue has been addressed.

– Esri Software Security & Privacy Team

Next Article

Searching for Features in Maps and Apps

Read this article