[gis_info] Esri Response to the Log4j Issue

MATHER David * DAS David.MATHER at das.oregon.gov
Wed Dec 15 10:34:36 PST 2021 

Oregon GIS Community,

For those of you who use Esri software products, Esri had reached out this morning with news about updates to their blog article on the Log4j Critical Vulnerability.  Please see their blog article below and recommended steps.  If you have questions, please contact Esri tech support directly.

https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-software-and-cve-2021-44228-aka-log4shell-aka-logjam/

They wanted to highlight specifically the scripts they have created to remove the JndiLookup Class:

"Out of an abundance of caution, Esri has created Log4Shell mitigation scripts that are strongly recommended to be applied to all installations of ArcGIS Enterprise and ArcGIS Server of any version of the software.  The scripts remove the JndiLookup class which is the only mitigation measure recommended by Apache Log4j<https://logging.apache.org/log4j/2.x/security.html> that does not require updating the Log4j version. This action fully addresses CVE-2021-44228 and CVE-2021-45046.  The scripts have been validated for versions 10.6 and above, however they should work on older versions of ArcGIS Enterprise and ArcGIS Server as well. Separate detailed instructions and scripts are available for:
ArcGIS Server<https://support.esri.com/Technical-Article/000026951> - Also includes mitigation for ArcGIS GeoEvent Server
Portal for ArcGIS<https://support.esri.com/Technical-Article/000026950>
ArcGIS Data Store<https://support.esri.com/Technical-Article/000026949>"


Thanks,

[cid:image001.png at 01D7F19F.5A6D8520]
David Mather, GISP
Geospatial Data Admin / Sys Admin
Enterprise Information Services
Data Governance and Transparency | GEO
Cell:971.900.9643 Desk:503.378.2166 | gis.oregon.gov


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/gis_info/attachments/20211215/a69cf31b/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/gis_info/attachments/20211215/a69cf31b/attachment-0001.png>

More information about the gis_info mailing list