ArcGIS and Apache Log4j Vulnerabilities

Initial Post 12/12/21 – Last Updated 5/6/22

Esri investigated the impact of the following Log4j library vulnerabilities as some Esri products contain this common logging tool:

• CVE-2021-44228 – Log4j 2.x JNDILookup RCE fix 1
  –  Disclosed 12/9/21 – Critical
• CVE-2021-45046 – Log4j 2.x JNDILookup fix 2
  –  Disclosed 12/14/21 – Critical
• CVE- 2021-4104 – Log4j 1.2 JMSAppender
  –  Disclosed 12/14/21 – High
• CVE-2021-45105 – Log4j 2.x Context Lookups DoS
  –  Disclosed 12/18/21 – Medium
• CVE-2021-44832 – Log4j 2.x JDBCAppender
  –  Disclosed 12/28/21 – Medium
• CVE-2022-23305 – Log4j 1.2.x JDBCAppender
  – Disclosed 1/18/22 – Critical
• CVE-2022-23302 – Log4j 1.2.x JMSSink
  – Disclosed 1/18/22 – High
• CVE-2022-23307 – Log4j 1.2.x Chainsaw
  – Disclosed 1/18/22 – Critical

This bulletin contains the latest information about Esri products and will be updated if necessary.

The Joint Cybersecurity Advisory, representing cybersecurity organizations around the globe, provides a useful summary of Log4j vulnerability mitigation guidance that customers may want to reference in addition to our product specific recommendations.  Two aspects your organization should consider implementing are alerting and blocking mechanisms for this issue.  To help ease implementing the recommended blocking mechanism of a Web Application Firewall (WAF) with Esri products, we have a Web Application Filter Rules guide located within the customer accessible documents area of the ArcGIS Trust Center.

Note that our mitigation measures are in alignment with Emergency Directive 22-02 Mitigate Apache Log4 Vulnerability.

ArcGIS Enterprise

Several ArcGIS Enterprise components contain the vulnerable log4j library, however there is no known exploit available for any version of a base ArcGIS Enterprise deployment (including the ArcGIS Server, Portal for ArcGIS, and ArcGIS Data Store components) or stand-alone ArcGIS Server at this time.

Esri has evaluated the potential impact of CVE-2021-45105, an infinite recursion denial-of-service attack against Log4j, in Portal for ArcGIS, ArcGIS Server, and ArcGIS Data Store and determined that those software components do not use the pattern layouts necessary for attackers to exploit the vulnerability.

Out of an abundance of caution, Esri initially created Log4Shell mitigation scripts, and subsequently released patches that should be applied to your systems:

• ArcGIS Server –  10.6, 10.6.1, 10.7.1, 10.8.1, 10.9, 10.9.1 (ArcGIS GIS Server, ArcGIS GeoAnalytics Server, and ArcGIS Image Server)
• Portal for ArcGIS – 10.6, 10.6.1, 10.7.1, 10.8.1, 10.9 10.9.1
• ArcGIS Data Store – 10.6, 10.6.1, 10.7.1, 10.8.1, 10.9, 10.9.1 
• ArcGIS GeoEvent Server – 10.6, 10.6,1, 10.7.1, 10.8.1, 10.9, 10.9.1
• ArcGIS Workflow Manager Server – 10.9.1
• ArcGIS GeoEnrichment Server –10.7.1, 10.8.1, 10.9 10.9.1
• ArcGIS Data Interoperability for Server –10.6, 10.6.1, 10.7.1, 10.8.1, 10.9, 10.9.1
• ArcGIS Notebook Server – 10.7.1, 10.8.1, 10.9, 10.9.1
• ArcGIS Enterprise on Kubernetes – 10.9.1

Notes:

• Not all Enterprise products must be patched at the same time – Backup files created by the initial mitigation scripts can be deleted from your systems after patching is complete.
• Base ArcGIS Enterprise components do not utilize and are therefore not vulnerable to:
  –  Log4j 1.2 JMSAppender – CVE-2021-4104
  –  Log4j 2.x JDBCAppender – CVE-2021-44832
• The ArcGIS Web Adaptor does not use Log4j core and is therefore not vulnerable.

ArcGIS Notebook Server

This product consists of two parts, the underlying framework and a Docker container image:

• Underlying framework – This does not contain Log4j, except for version 10.7.x of the product which does NOT include the vulnerable JMSAppender class and is therefore NOT vulnerable to CVE’s 2021-44228, 2021-45046, or 2021-4104.
• Docker container image – This contains Log4j, however for a person to be able to execute the component they would need to be granted permissions to the notebook container, so Log4j does not present additional RCE risk in this configuration.

ArcGIS Online

Though a Log4j exploit has not been identified for ArcGIS Online, out of an abundance of caution, patching and updates were completed to eliminate the vulnerable code from this FedRAMP authorized SaaS offering.

Esri Managed Cloud Services

EMCS Advanced and Advanced+ have implemented web filter mitigations for Log4j vulnerabilities. We have applied the scripts that remove the JNDILookup class to all affected systems as recommended in this announcement.

ArcMap

Does not include Log4j and is therefore not vulnerable to these CVE’s.  See Desktop Extensions section if utilizing optional, separate install extensions.

ArcGIS Monitor

Does not contain Log4j and is therefore not vulnerable to these CVE’s.

ArcGIS Pro

All ArcGIS Pro versions under General Availability support contain Log4j, but are not known to be exploitable as the software does not listen for remote traffic.

• ArcGIS Pro 2.6.1, 2.7.6, 2.8.6, 2.9.2 update all Log4j 2.x components to 2.17.1 and remove all vulnerable Log4j 1.2.x classes.

ArcGIS Pro includes Log4j by default to support two functional areas:

ArcGIS Pro GeoAnalytics Desktop Tools

• The underlying Log4j component does NOT utilize the vulnerable JMSAppender class and is therefore NOT vulnerable to the CVE’s in this announcement.
• Esri will update the version of Log4j through normal maintenance patches and initially utilize the Log4j 1.2 bridge for Spark until the framework supports Log4j V2.17.x+

ArcGIS Pro SAS-ArcGIS Bridge

• ArcGIS Pro 2.7.5+, 2.8.5+, 2.9.2+ address Log4j CVE’s for this component by updating to Log4j 2.17.1.

See Desktop Extensions section below if utilizing optional, separate install extensions.

Desktop Extensions

Below is a summary of optional (non-default) extensions and their vulnerability status:

ArcGIS Pro Data Interoperability Extension

• Patches available for 2.7, 2.8, 2.9 from My Esri
• ArcGIS Data Interoperability for ArcGIS Pro for each specific version must be installed prior to installing any ArcGIS Data Interoperability for ArcGIS Pro patches.

ArcMap Data Interoperability Extension

• Patch available for 10.8.2
• ArcMap is no longer covered by General Availability support and we encourage our customers to migrate to ArcGIS Pro.  If your organization must continue to utilize ArcMap, please ensure you are utilizing the final product release of 10.8.2 and patch accordingly.

License Manager

This product utilizes components from Flexera, and Esri does NOT include the vulnerable example files referenced by Flexera in their Log4j statement. Log4j is not included with Esri’s License Manager and is therefore NOT vulnerable to the CVE’s in this announcement.

Esri Geoportal Server

This open source product was updated to version 2.65 on Dec 17th to resolve Log4j issues, please upgrade to this latest release.

Validating Mitigations and Security Scanner False Positive Alerts

• Tenable security scanner – Provides numerous plugins to help detect Log4j issues, however default Plugin 156002 only checks the versions of Log4j and therefore creates a false positive critical alert for customers who have used Esri’s mitigation scripts.  Customers should point their security teams to the Ports sections of Plugin 156001 instead, as it correctly indicates if the Critically vulnerable code has been removed from Log4j and will show:
  JndiLookup.class association : Not Found.
• LogPresso Log4j Scanner – This free tool listed by the Center of Internet Security for identifying Log4j issues, correctly identifies if your ArcGIS Enterprise Log4j components have been mitigated for the critical vulnerabilities by default.  The tool requires no install, runs natively on Windows or Linux, typically takes less than two minutes to scan our products, and can be executed at a command prompt by simply pointing it to the installation directory (target_path) of our product as follows:
  log4j2-scantarget_path

Bottomline, several security scanners by default perform rudimentary validation of Log4j security issues resulting in false positive critical alerts even after Esri’s mitigation scripts are run.  To avoid false positives, make sure the scanner is appropriately configured and ensure your team is looking at the right location/plugin results – or just use a simpler, purpose-built security tool to validate and provide your security team the assurance the issue has been addressed.

– Esri Software Security & Privacy Team