{"id":1435562,"date":"2023-05-22T07:00:31","date_gmt":"2023-05-22T14:00:31","guid":{"rendered":"https:\/\/www.esri.com\/arcgis-blog\/?post_type=blog&#038;p=1435562"},"modified":"2023-05-22T14:31:30","modified_gmt":"2023-05-22T21:31:30","slug":"arcgis-software-and-cve-2021-44228-aka-log4shell-aka-logjam","status":"publish","type":"blog","link":"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-enterprise\/administration\/arcgis-software-and-cve-2021-44228-aka-log4shell-aka-logjam","title":{"rendered":"ArcGIS and Apache Log4j Vulnerabilities"},"author":5311,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","format":"standard","meta":{"_acf_changed":false,"_searchwp_excluded":""},"categories":[37501],"tags":[24081,763302,763312,763322,35281],"industry":[],"product":[36571,36551,36561,763582],"class_list":["post-1435562","blog","type-blog","status-publish","format-standard","hentry","category-administration","tag-ssamymlgp","tag-cve-2021-44228","tag-log4shell","tag-logjam","tag-vulnerability","product-arcgis-enterprise","product-arcgis-online","product-arcgis-pro","product-trust-arcgis"],"acf":{"short_description":"Esri's updated statement regarding Log4j vulnerabilities (Log4Shell) and ArcGIS products","flexible_content":[{"acf_fc_layout":"content","content":"<p><em>Initial Post 12\/12\/21 &#8211; Last Updated 5\/22\/23<\/em><\/p>\n<p><strong><em>While Log4j issues have been mitigated for previous releases, we recommend customers upgrade to ArcGIS Enterprise 11.1 to eliminate potential security scanner false positives.<\/em><\/strong><\/p>\n<p>Esri has investigated the impact of the following Log4j library vulnerabilities as some Esri products contain this common logging tool:<\/p>\n<ul>\n<li><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-44228\">CVE-2021-44228<\/a>\u00a0\u2013 Log4j 2.x JNDILookup RCE fix 1<br \/>\n\u2013\u00a0 Disclosed 12\/9\/21 \u2013 Critical<\/li>\n<li><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-45046\">CVE-2021-45046<\/a>\u00a0\u2013 Log4j 2.x JNDILookup fix 2<br \/>\n\u2013\u00a0 Disclosed 12\/14\/21 \u2013 Critical<\/li>\n<li><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-4104\">CVE- 2021-4104<\/a>\u00a0\u2013 Log4j 1.2 JMSAppender<br \/>\n\u2013\u00a0 Disclosed 12\/14\/21 \u2013 High<\/li>\n<li><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-45105?s=09\">CVE-2021-45105<\/a>\u00a0\u2013 Log4j 2.x Context Lookups DoS<br \/>\n\u2013\u00a0 Disclosed 12\/18\/21 \u2013 Medium<\/li>\n<li><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-44832\">CVE-2021-44832<\/a>\u00a0\u2013 Log4j 2.x JDBCAppender<br \/>\n\u2013\u00a0 Disclosed 12\/28\/21 \u2013 Medium<\/li>\n<li><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2022-23305\">CVE-2022-23305<\/a>\u00a0\u2013 Log4j 1.2.x JDBCAppender<br \/>\n\u2013 Disclosed 1\/18\/22 \u2013 Critical<\/li>\n<li><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2022-23302\">CVE-2022-23302<\/a>\u00a0\u2013 Log4j 1.2.x JMSSink<br \/>\n\u2013 Disclosed 1\/18\/22 \u2013 High<\/li>\n<li><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2022-23307\">CVE-2022-23307<\/a>\u00a0\u2013 Log4j 1.2.x Chainsaw<br \/>\n\u2013 Disclosed 1\/18\/22 \u2013 Critical<\/li>\n<\/ul>\n<p>This bulletin contains the latest information about Esri products and will be updated if necessary.<\/p>\n<p>The Joint Cybersecurity Advisory, representing cybersecurity organizations around the globe, provides a\u00a0<a href=\"https:\/\/media.defense.gov\/2021\/Dec\/22\/2002913813\/-1\/-1\/0\/Joint_CSA_Mitigating_Log4Shell_Other_Log4j_Vulnerabilities_20211222_FINAL.PDF\">useful summary of Log4j vulnerability mitigation guidance<\/a>\u00a0that customers may want to reference in addition to our product specific recommendations.\u00a0 Two aspects your organization should consider implementing are alerting and blocking mechanisms for this issue.\u00a0 To help ease implementing the recommended blocking mechanism of a Web Application Firewall (WAF) with Esri products, we have a\u00a0<a href=\"https:\/\/trust.arcgis.com\/en\/customer-documents\/ArcGIS%20Enterprise%20Web%20Application%20Filter%20Rules%20v2.127.pdf\">Web Application Filter Rules<\/a>\u00a0guide located within the customer accessible documents area of the\u00a0<a href=\"https:\/\/trust.arcgis.com\/en\/documents\/\">ArcGIS Trust Center<\/a>.<\/p>\n<p>Note that our mitigation measures are in alignment with\u00a0<a href=\"https:\/\/www.cisa.gov\/emergency-directive-22-02\">Emergency Directive 22-02 Mitigate Apache Log4 Vulnerability.<\/a><\/p>\n<p><strong>ArcGIS Enterprise<\/strong><\/p>\n<p>Several ArcGIS Enterprise components contain the vulnerable log4j library, however there is\u00a0<u>no<\/u>\u00a0known exploit available for\u00a0<u>any<\/u>\u00a0version of a base ArcGIS Enterprise deployment (including the ArcGIS Server, Portal for ArcGIS, and ArcGIS Data Store components) or stand-alone ArcGIS Server at this time.<\/p>\n<p>Esri has evaluated the potential impact of CVE-2021-45105, an infinite recursion denial-of-service attack against Log4j, in Portal for ArcGIS, ArcGIS Server, and ArcGIS Data Store and determined that those software components do not use the pattern layouts necessary for attackers to exploit the vulnerability.<\/p>\n<p>Out of an abundance of caution, Esri initially created Log4Shell mitigation scripts, subsequently released patches, and more recently has introduced new product versions.\u00a0 We recognize some customers have rigorous requirements concerning Log4j 2.x vs Log4j 1.x components on their systems and highlight our treatment for each below.<\/p>\n<p><strong>ArcGIS Enterprise 11.1 base deployment (Recommended<\/strong><strong>)<\/strong><\/p>\n<ul>\n<li>Log4j 2.x &#8211; Esri uses Log4j 2.19 and Ignite-Log4j2 v2.14. \u00a0<a href=\"https:\/\/blogs.apache.org\/ignite\/entry\/apache-ignite-2-11-1\">Apache Ignite<\/a>\u00a02.11.1 was a release that fixed <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-44228\">CVE-2021-44228<\/a><u>,\u00a0<\/u><a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-45046\">CVE-2021-45046<\/a><u>,\u00a0<\/u><a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-45105\">CVE-2021-45105<\/a> related to the ignite-log4j2 module usage.<\/li>\n<li>No Log4j 1.x code is utilized, as the Log4j Bridge is utilized to ensure only Log4j 2.x code is executed.<\/li>\n<\/ul>\n<p><strong>ArcGIS Enterprise 11.0 base deployment\u00a0<\/strong><\/p>\n<ul>\n<li>Log4j 2.x \u2013 Esri uses Log4j 2.17.1 or later<\/li>\n<li>Log4j 1.x \u2013 Esri uses this code for two components in ArcGIS Data Store, but known vulnerable classes were removed:<\/li>\n<\/ul>\n<p style=\"padding-left: 80px\"><em>Object Store<br \/>\n&#8211;\u00a0 \u00a0 \u00a0 <\/em>Not installed by default for new Enterprise deployments, except for ArcGIS Enterprise Builder deployments on Windows<br \/>\n&#8211;\u00a0 \u00a0 \u00a0 Will be installed when upgrading from earlier versions<br \/>\n&#8211;\u00a0 \u00a0 \u00a0 If desired, it can be uninstalled via Apps &amp; Features in Windows<\/p>\n<p style=\"padding-left: 80px\"><em>Internal logger<br \/>\n<\/em>&#8211;\u00a0 \u00a0 \u00a0 If desired, the .jar file can be removed (deleted) without effect on application security or functionality<br \/>\n&#8211;\u00a0 \u00a0 \u00a0 Location: \\ArcGIS\\DataStore\\framework\\webapps\\arcgis#datastoreadmin\\WEB-INF\\lib\\log4j-1.2.17-patched.jar<\/p>\n<ul>\n<li>No other Log4j 1.x code is utilized as the Log4j Bridge is utilized for other components<\/li>\n<li>No false positives due to \u201cempty\u201d files produced by patches<\/li>\n<\/ul>\n<p><strong>Patches for ArcGIS Enterprise<\/strong><\/p>\n<ul>\n<li>ArcGIS Server \u2013\u00a0\u00a0<a href=\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/arcgis-enterprise-log4j-security-patches-available\/\">10.6, 10.6.1, 10.7.1, 10.8.1, 10.9, 10.9.1<\/a>\u00a0(These patches are for ArcGIS GIS Server, ArcGIS GeoAnalytics Server, and ArcGIS Image Server)<\/li>\n<li>Portal for ArcGIS \u2013\u00a0<a href=\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/arcgis-enterprise-log4j-security-patches-available\/\">10.6, 10.6.1, 10.7.1, 10.8.1, 10.9 10.9.1<\/a><\/li>\n<li>ArcGIS Data Store \u2013\u00a0<a href=\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/arcgis-enterprise-log4j-security-patches-available\/\">10.6, 10.6.1, 10.7.1, 10.8.1, 10.9, 10.9.1\u00a0<\/a><\/li>\n<li>ArcGIS GeoEvent Server \u2013\u00a0<a href=\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/arcgis-enterprise-log4j-security-patches-available\/\">10.6, 10.6,1, 10.7.1, 10.8.1, 10.9, 10.9.1<\/a><\/li>\n<li>ArcGIS Workflow Manager Server \u2013\u00a0<a href=\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/arcgis-enterprise-log4j-security-patches-available\/\">10.9.1<\/a><\/li>\n<li>ArcGIS GeoEnrichment Server \u2013<a href=\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/arcgis-enterprise-log4j-security-patches-available\/\">10.7.1, 10.8.1, 10.9 10.9.1<\/a><\/li>\n<li>ArcGIS Data Interoperability for Server \u2013<a href=\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/arcgis-enterprise-log4j-security-patches-available\/\">10.6, 10.6.1, 10.7.1, 10.8.1, 10.9, 10.9.1<\/a><\/li>\n<li>ArcGIS Notebook Server \u2013\u00a0<a href=\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/arcgis-enterprise-log4j-security-patches-available\/\">10.7.1, 10.8.1, 10.9, 10.9.1<\/a><\/li>\n<li>ArcGIS Enterprise on Kubernetes \u2013\u00a0<a href=\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/arcgis-enterprise-log4j-security-patches-available\/\">10.9.1<\/a><\/li>\n<\/ul>\n<p><em>Notes<\/em>:<\/p>\n<ul>\n<li>Not all Enterprise products must be patched at the same time<\/li>\n<li>Backup files created by the initial mitigation scripts can be deleted from your systems after patching is complete.<\/li>\n<li>Base ArcGIS Enterprise components do not utilize and are therefore not vulnerable to:<br \/>\n\u2013\u00a0 Log4j 1.2 JMSAppender \u2013 CVE-2021-4104<br \/>\n\u2013\u00a0 Log4j 2.x JDBCAppender \u2013 CVE-2021-44832<\/li>\n<li>The ArcGIS Web Adaptor does not use Log4j core and is therefore not vulnerable.<\/li>\n<\/ul>\n<p><strong>ArcGIS Online<\/strong><\/p>\n<p>Though a Log4j exploit has not been identified for ArcGIS Online, out of an abundance of caution, patching and updates were completed to eliminate the vulnerable code from this FedRAMP authorized SaaS offering.<\/p>\n<p><strong>Esri Managed Cloud Services<\/strong><\/p>\n<p>EMCS Advanced and Advanced+ have implemented web filter mitigations for Log4j vulnerabilities. We have applied the scripts that remove the JNDILookup class to all affected systems as recommended in this announcement.<\/p>\n<p><strong>ArcMap<\/strong><\/p>\n<p>Does not include Log4j and is therefore not vulnerable to these CVE\u2019s.\u00a0 See Desktop Extensions section if utilizing optional, separate install extensions.<\/p>\n<p><strong>ArcGIS Monitor<\/strong><\/p>\n<p>Does not contain Log4j and is therefore not vulnerable to these CVE\u2019s.<\/p>\n<p><strong>ArcGIS Pro<\/strong><\/p>\n<p>All ArcGIS Pro versions under General Availability support contain Log4j, but are not known to be exploitable as the software does not listen for remote traffic.<\/p>\n<ul>\n<li>We recommend customers utilize version 3 or later<br \/>\n\u2013\u00a0 \u00a0 Log4j 2.x &#8211; Uses Log4j 2.17.1 or later<br \/>\n\u2013\u00a0 \u00a0 Log4j 1.x &#8211; Log4j 1.x code is <strong>NOT<\/strong> utilized as the Log4j Bridge is utilized<\/li>\n<li>Alternatively, patches are available for Pro 2.6.1+, 2.7.6+, 2.8.6+, 2.9.2+<br \/>\n\u2013\u00a0 \u00a0 Log4j 2.x &#8211; Uses Log4j 2.17.1 or later<br \/>\n\u2013\u00a0 \u00a0 Log4j 1.x \u2013 Log4j 1.x code is utilized, but known vulnerable classes removed<\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.esri.com\/en-us\/arcgis\/products\/arcgis-data-interoperability\/overview\"><strong>ArcGIS Pro Data Interoperability Extension<\/strong><\/a><\/p>\n<ul>\n<li>We recommend customers utilize version 3 or later<br \/>\n\u2013\u00a0 \u00a0 Log4j code completely removed<br \/>\n\u2013\u00a0 \u00a0 No false positives from \u201cempty\u201d files<\/li>\n<li>Alternatively, patches are available for <a href=\"https:\/\/links.esri.com\/ArcGISPro\/2.7\/IssuesAddressed\">2.7<\/a>,\u00a0<a href=\"https:\/\/links.esri.com\/ArcGISPro\/2.8\/IssuesAddressed\">2.8<\/a>,\u00a0<a href=\"https:\/\/links.esri.com\/ArcGISPro\/2.9\/IssuesAddressed\">2.9<\/a>\u00a0from\u00a0<a href=\"https:\/\/my.esri.com\/\">My Esri<\/a><br \/>\n\u2013\u00a0 \u00a0 Be aware of potential false positives from security scanners due to utilizing \u201cempty\u201d files<br \/>\n\u2013\u00a0 \u00a0 ArcGIS Data Interoperability for ArcGIS Pro for each specific version must be installed prior to installing any ArcGIS Data Interoperability for ArcGIS Pro patches.<\/li>\n<\/ul>\n<p><a href=\"https:\/\/desktop.arcgis.com\/en\/arcmap\/latest\/extensions\/data-interoperability\/a-quick-tour-of-the-data-interoperability-extension.htm\"><strong>ArcMap Data Interoperability Extension<\/strong><\/a><\/p>\n<ul>\n<li>Patch available for\u00a0<a href=\"https:\/\/support.esri.com\/en\/download\/8011\">10.8.2<\/a><\/li>\n<li>ArcMap is no longer covered by General Availability support and we encourage our customers to migrate to ArcGIS Pro.\u00a0 If your organization must continue to utilize ArcMap, please ensure you are utilizing the final product release of 10.8.2 and patch accordingly.<\/li>\n<\/ul>\n<p><strong>License Manager<\/strong><\/p>\n<p>This product utilizes components from Flexera, and Esri does NOT include the vulnerable example files\u00a0<a href=\"https:\/\/community.flexera.com\/t5\/FlexNet-Publisher-Knowledge-Base\/CVE-2021-44228-Log4j-vulnerability-impact-on-FlexNet-Publisher\/ta-p\/217384\">referenced by Flexera in their Log4j statement<\/a>. Log4j is not included with Esri\u2019s License Manager and is therefore NOT vulnerable to the CVE\u2019s in this announcement.<\/p>\n<p><strong>Esri Geoportal Server<\/strong><\/p>\n<p>This open source product was\u00a0<a href=\"https:\/\/github.com\/Esri\/geoportal-server-catalog\/releases\">updated to version 2.65<\/a>\u00a0on Dec 17th to resolve Log4j issues, please upgrade to this latest release.<\/p>\n<h3><strong><br \/>\nSecurity Scanner False Positives<\/strong><\/h3>\n<ul>\n<li><a href=\"https:\/\/www.tenable.com\/\">Tenable security scanner<\/a>\u00a0\u2013 Provides numerous plugins to help detect Log4j issues, however default Plugin 156002 only checks the versions of Log4j and therefore creates a false positive critical alert for customers who have used Esri\u2019s mitigation scripts.\u00a0 Customers should point their security teams to the Ports sections of Plugin 156001 instead, as it correctly indicates if the Critically vulnerable code has been removed from Log4j and will show:<br \/>\n<em>JndiLookup.class association : Not Found.<\/em><\/li>\n<li><a href=\"https:\/\/github.com\/logpresso\/CVE-2021-44228-Scanner#readme\">LogPresso Log4j Scanner<\/a>\u00a0\u2013 This free tool\u00a0<a href=\"https:\/\/www.cisecurity.org\/log4j-zero-day-vulnerability-response\/#Appendix%20A\">listed by the Center of Internet Security for identifying Log4j issues<\/a>, correctly identifies if your ArcGIS Enterprise Log4j components have been mitigated for the critical vulnerabilities by default.\u00a0 The tool requires no install, runs natively on Windows or Linux, typically takes less than two minutes to scan our products, and can be executed at a command prompt by simply pointing it to the installation directory (target_path) of our product as follows:<br \/>\n<em>log4j2-scantarget_path<\/em><\/li>\n<\/ul>\n<ul>\n<li><strong>Notes about false positives based on filename versions even with newest versions of Esri products<\/strong> &#8211; Configuring a scanner to flag vulnerability concerns based on filenames is NOT a recommended best practice for operations as it will likely lead to false positive findings.\u00a0 Potential false positives to be aware of when alerting on filenames includes (These should <strong>not<\/strong> be reported to Esri):<\/li>\n<\/ul>\n<p style=\"padding-left: 80px\">A number of third-party components that include Log4j as a dependency will have Log4j filenames containing the version of the third-party component which a scanner may detect as a vulnerable Log4j version despite using the latest Log4j version. Frequently, the third-party component name is appended in front of the Log4j filename which can help false positive identification efforts.<\/p>\n<p style=\"padding-left: 80px\">Log4j 1.x bridge filenames frequently contain Log4j-1.2 as part of the filename and may mistakenly be identified as Log4j 1.x code. Using the Log4j 1.x Bridge is a widely accepted mitigation of Log4j 1.x concerns and <a href=\"https:\/\/logging.apache.org\/log4j\/2.x\/manual\/migration.html\">described by Apache here<\/a>.\u00a0 Until third-party components we utilize move their supported offering to Log4j 2.x, we will continue utilizing the Bridge to ensure risks are mitigated.\u00a0 Frequently, Log4j 1.x Bridge filenames match the pattern Log4j-1.2-api-2.17.1, where 2.17.1 is the actual version of the code used for the Bridge, which can help false positive identification efforts.<\/p>\n<p>Bottomline, several security scanners by default perform rudimentary validation of Log4j security issues resulting in false positive critical alerts even after Esri\u2019s patches are applied or latest product versions are utilized.\u00a0 To avoid false positives, make sure the scanner is appropriately configured and ensure your team is looking at the right location\/plugin results \u2013 or just use a simpler, purpose-built security tool to validate and provide your security team the assurance the issue has been addressed.<\/p>\n"},{"acf_fc_layout":"content","content":"<p><em>&#8211; Esri Software Security &amp; Privacy Team<\/em><\/p>\n"}],"authors":[{"ID":3911,"user_firstname":"Michael","user_lastname":"Young","nickname":"Michael Young","user_nicename":"myoung1000","display_name":"Michael Young","user_email":"myoung@esri.com","user_url":"http:\/\/trust.arcgis.com","user_registered":"2018-03-02 00:15:29","user_description":"","user_avatar":"<img data-del=\"avatar\" src='https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2021\/12\/SSP-213x200.jpg' class='avatar pp-user-avatar avatar-96 photo ' height='96' width='96'\/>"},{"ID":5311,"user_firstname":"Randall","user_lastname":"Williams","nickname":"Randall Williams","user_nicename":"randallwilliams","display_name":"Randall Williams","user_email":"randall_williams@esri.com","user_url":"https:\/\/trust.arcgis.com","user_registered":"2018-03-02 00:17:03","user_description":"","user_avatar":"<img data-del=\"avatar\" src='https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/08\/softwaresecurity.png' class='avatar pp-user-avatar avatar-96 photo ' height='96' width='96'\/>"}],"related_articles":"","card_image":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2021\/12\/Log4j.png","wide_image":false},"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v25.9 (Yoast SEO v25.9) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>ArcGIS and Apache Log4j Vulnerabilities<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-enterprise\/administration\/arcgis-software-and-cve-2021-44228-aka-log4shell-aka-logjam\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"ArcGIS and Apache Log4j Vulnerabilities\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-enterprise\/administration\/arcgis-software-and-cve-2021-44228-aka-log4shell-aka-logjam\" \/>\n<meta property=\"og:site_name\" content=\"ArcGIS Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/esrigis\/\" \/>\n<meta property=\"article:modified_time\" content=\"2023-05-22T21:31:30+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@ESRI\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":[\"Article\",\"BlogPosting\"],\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-enterprise\/administration\/arcgis-software-and-cve-2021-44228-aka-log4shell-aka-logjam#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-enterprise\/administration\/arcgis-software-and-cve-2021-44228-aka-log4shell-aka-logjam\"},\"author\":{\"name\":\"Randall Williams\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/6257d65f342fee9c48e7f16f9a428959\"},\"headline\":\"ArcGIS and Apache Log4j Vulnerabilities\",\"datePublished\":\"2023-05-22T14:00:31+00:00\",\"dateModified\":\"2023-05-22T21:31:30+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-enterprise\/administration\/arcgis-software-and-cve-2021-44228-aka-log4shell-aka-logjam\"},\"wordCount\":6,\"publisher\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#organization\"},\"keywords\":[\"ArcGIS Trust Center\",\"CVE-2021-44228\",\"Log4Shell\",\"LogJam\",\"vulnerability\"],\"articleSection\":[\"Administration\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-enterprise\/administration\/arcgis-software-and-cve-2021-44228-aka-log4shell-aka-logjam\",\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-enterprise\/administration\/arcgis-software-and-cve-2021-44228-aka-log4shell-aka-logjam\",\"name\":\"ArcGIS and Apache Log4j Vulnerabilities\",\"isPartOf\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#website\"},\"datePublished\":\"2023-05-22T14:00:31+00:00\",\"dateModified\":\"2023-05-22T21:31:30+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-enterprise\/administration\/arcgis-software-and-cve-2021-44228-aka-log4shell-aka-logjam#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-enterprise\/administration\/arcgis-software-and-cve-2021-44228-aka-log4shell-aka-logjam\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-enterprise\/administration\/arcgis-software-and-cve-2021-44228-aka-log4shell-aka-logjam#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.esri.com\/arcgis-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"ArcGIS and Apache Log4j Vulnerabilities\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#website\",\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/\",\"name\":\"ArcGIS Blog\",\"description\":\"Get insider info from Esri product teams\",\"publisher\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.esri.com\/arcgis-blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#organization\",\"name\":\"Esri\",\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/04\/Esri.png\",\"contentUrl\":\"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/04\/Esri.png\",\"width\":400,\"height\":400,\"caption\":\"Esri\"},\"image\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/esrigis\/\",\"https:\/\/x.com\/ESRI\",\"https:\/\/www.linkedin.com\/company\/5311\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/6257d65f342fee9c48e7f16f9a428959\",\"name\":\"Randall Williams\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/08\/softwaresecurity.png\",\"contentUrl\":\"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/08\/softwaresecurity.png\",\"caption\":\"Randall Williams\"},\"sameAs\":[\"https:\/\/trust.arcgis.com\"],\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/author\/randallwilliams\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"ArcGIS and Apache Log4j Vulnerabilities","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-enterprise\/administration\/arcgis-software-and-cve-2021-44228-aka-log4shell-aka-logjam","og_locale":"en_US","og_type":"article","og_title":"ArcGIS and Apache Log4j Vulnerabilities","og_url":"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-enterprise\/administration\/arcgis-software-and-cve-2021-44228-aka-log4shell-aka-logjam","og_site_name":"ArcGIS Blog","article_publisher":"https:\/\/www.facebook.com\/esrigis\/","article_modified_time":"2023-05-22T21:31:30+00:00","twitter_card":"summary_large_image","twitter_site":"@ESRI","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":["Article","BlogPosting"],"@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-enterprise\/administration\/arcgis-software-and-cve-2021-44228-aka-log4shell-aka-logjam#article","isPartOf":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-enterprise\/administration\/arcgis-software-and-cve-2021-44228-aka-log4shell-aka-logjam"},"author":{"name":"Randall Williams","@id":"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/6257d65f342fee9c48e7f16f9a428959"},"headline":"ArcGIS and Apache Log4j Vulnerabilities","datePublished":"2023-05-22T14:00:31+00:00","dateModified":"2023-05-22T21:31:30+00:00","mainEntityOfPage":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-enterprise\/administration\/arcgis-software-and-cve-2021-44228-aka-log4shell-aka-logjam"},"wordCount":6,"publisher":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/#organization"},"keywords":["ArcGIS Trust Center","CVE-2021-44228","Log4Shell","LogJam","vulnerability"],"articleSection":["Administration"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-enterprise\/administration\/arcgis-software-and-cve-2021-44228-aka-log4shell-aka-logjam","url":"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-enterprise\/administration\/arcgis-software-and-cve-2021-44228-aka-log4shell-aka-logjam","name":"ArcGIS and Apache Log4j Vulnerabilities","isPartOf":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/#website"},"datePublished":"2023-05-22T14:00:31+00:00","dateModified":"2023-05-22T21:31:30+00:00","breadcrumb":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-enterprise\/administration\/arcgis-software-and-cve-2021-44228-aka-log4shell-aka-logjam#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-enterprise\/administration\/arcgis-software-and-cve-2021-44228-aka-log4shell-aka-logjam"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-enterprise\/administration\/arcgis-software-and-cve-2021-44228-aka-log4shell-aka-logjam#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.esri.com\/arcgis-blog\/"},{"@type":"ListItem","position":2,"name":"ArcGIS and Apache Log4j Vulnerabilities"}]},{"@type":"WebSite","@id":"https:\/\/www.esri.com\/arcgis-blog\/#website","url":"https:\/\/www.esri.com\/arcgis-blog\/","name":"ArcGIS Blog","description":"Get insider info from Esri product teams","publisher":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.esri.com\/arcgis-blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.esri.com\/arcgis-blog\/#organization","name":"Esri","url":"https:\/\/www.esri.com\/arcgis-blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/04\/Esri.png","contentUrl":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/04\/Esri.png","width":400,"height":400,"caption":"Esri"},"image":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/esrigis\/","https:\/\/x.com\/ESRI","https:\/\/www.linkedin.com\/company\/5311\/"]},{"@type":"Person","@id":"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/6257d65f342fee9c48e7f16f9a428959","name":"Randall Williams","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/image\/","url":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/08\/softwaresecurity.png","contentUrl":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/08\/softwaresecurity.png","caption":"Randall Williams"},"sameAs":["https:\/\/trust.arcgis.com"],"url":"https:\/\/www.esri.com\/arcgis-blog\/author\/randallwilliams"}]}},"text_date":"May 22, 2023","author_name":"Multiple Authors","author_page":"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-enterprise\/administration\/arcgis-software-and-cve-2021-44228-aka-log4shell-aka-logjam","custom_image":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2025\/08\/Newsroom-Keyart-Wide-1920-x-1080.jpg","primary_product":"ArcGIS Enterprise","tag_data":[{"term_id":24081,"name":"ArcGIS Trust Center","slug":"ssamymlgp","term_group":0,"term_taxonomy_id":24081,"taxonomy":"post_tag","description":"","parent":0,"count":96,"filter":"raw"},{"term_id":763302,"name":"CVE-2021-44228","slug":"cve-2021-44228","term_group":0,"term_taxonomy_id":763302,"taxonomy":"post_tag","description":"","parent":0,"count":1,"filter":"raw"},{"term_id":763312,"name":"Log4Shell","slug":"log4shell","term_group":0,"term_taxonomy_id":763312,"taxonomy":"post_tag","description":"","parent":0,"count":1,"filter":"raw"},{"term_id":763322,"name":"LogJam","slug":"logjam","term_group":0,"term_taxonomy_id":763322,"taxonomy":"post_tag","description":"","parent":0,"count":1,"filter":"raw"},{"term_id":35281,"name":"vulnerability","slug":"vulnerability","term_group":0,"term_taxonomy_id":35281,"taxonomy":"post_tag","description":"","parent":0,"count":8,"filter":"raw"}],"category_data":[{"term_id":37501,"name":"Administration","slug":"administration","term_group":0,"term_taxonomy_id":37501,"taxonomy":"category","description":"","parent":0,"count":422,"filter":"raw"}],"product_data":[{"term_id":36571,"name":"ArcGIS Enterprise","slug":"arcgis-enterprise","term_group":0,"term_taxonomy_id":36571,"taxonomy":"product","description":"","parent":0,"count":972,"filter":"raw"},{"term_id":36551,"name":"ArcGIS Online","slug":"arcgis-online","term_group":0,"term_taxonomy_id":36551,"taxonomy":"product","description":"","parent":0,"count":2419,"filter":"raw"},{"term_id":36561,"name":"ArcGIS Pro","slug":"arcgis-pro","term_group":0,"term_taxonomy_id":36561,"taxonomy":"product","description":"","parent":0,"count":2035,"filter":"raw"},{"term_id":763582,"name":"ArcGIS Trust Center","slug":"trust-arcgis","term_group":0,"term_taxonomy_id":763582,"taxonomy":"product","description":"Reserved for articles authored by the ArcGIS Trust Center team","parent":36981,"count":86,"filter":"raw"}],"primary_product_link":"https:\/\/www.esri.com\/arcgis-blog\/?s=#&products=arcgis-enterprise","_links":{"self":[{"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/blog\/1435562","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/blog"}],"about":[{"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/types\/blog"}],"author":[{"embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/users\/5311"}],"replies":[{"embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/comments?post=1435562"}],"version-history":[{"count":0,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/blog\/1435562\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/media?parent=1435562"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/categories?post=1435562"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/tags?post=1435562"},{"taxonomy":"industry","embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/industry?post=1435562"},{"taxonomy":"product","embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/product?post=1435562"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}