Keep up to date with Log4j
Esri has released patches for the Log4j vulnerability for the following components:
| Portal for ArcGIS | 10.6, 10.6.1, 10.7.1, 10.8.1, 10.9, 10.9.1 |
| ArcGIS Server | 10.6, 10.6.1, 10.7.1, 10.8.1, 10.9.1 |
| ArcGIS Data Store | 10.6.1, 10.7.1, 10.8.1, 10.9, 10.9.1 |
| ArcGIS GeoEvent Server | 10.6, 10.6.1, 10.7.1, 10.8.1, 10.9, 10.9.1 |
Although there is no known exploit identified with ArcGIS products, it is highly recommended to apply Esri's Log4Shell scripts to all installations of ArcGIS Enterprise and ArcGIS Server of any version of the software. Please check back often as frequently asked questions will be updated based on customer feedback.
Recommended scripts can be downloaded for:
ArcGIS Server
Portal for ArcGIS
ArcGIS Data Store
ArcGIS GeoEvent Server
ArcGIS Workflow Manager Server
ArcGIS GeoEnrichment Server
- Should I run the mitigation scripts or wait for a patch?
- We strongly advise using the supplied scripts now rather than waiting for additional patches to become available.
- I am receiving Permissions error when running Log4j script on Portal for ArcGIS: PermissionError: [WinError 32] The process cannot access the file because it is being used by another process?
As a starting point to troubleshoot the error, please check that:
-
The user is logged in on the machine as the administrator or the ArcGIS Datastore/Portal/Server “run as” account.
-
The ArcGIS Data Store/Portal/Server service has been stopped so the files can be modified.
-
Verify that there aren’t any processes running under the ArcGIS Datastore/Portal/Server account in Task manager on the machine that may be locking the files. If processes are running, select “End task” in the Task manager.
-
Verify that the account used to execute the scripts has read/write permissions to the server/portal/datastore directories mentioned in the technical articles.
-
- Our ArcGIS Data Store is installed on a separate server. Where would I download the Python install media from?
-
Download and install Python 3 on the server machine where ArcGIS Data Store is installed: https://www.python.org/downloads
-
Follow the installation steps at https://docs.python.org/3/using/windows.html
-
Note: You may also need to install Python 3 if you are running an older version (10.5 and below) of the stand-alone ArcGIS Server. Additionally, please ensure that the path to Python in the command window will match the location on the server where the Python 3 is installed. For example, if during the installation you specified the installation directory as “C:\ProgramFiles\Python3”, the script command line would reference this location to execute python.exe
Running the script on the systems where only Python 2.7 is installed will produce following message: "This script must be run with Python v3."
-
- The documentation refers to the "Stop the ArcGIS Server service". Do we need to stop each web service running on our ArcGIS Server?
- No, the service that needs to be stopped is the ArcGIS Server service account that runs the software and can be found under Windows Services:
- What action should I take if I'm on ArcGIS Enterprise 10.5 or lower?
- Customers who are using ArcGIS Enterprise versions in Mature/Retired phase (version 10.5.x and below) are strongly recommended to upgrade to the latest supported version of ArcGIS Enterprise. Software in mature or retired status does not receive patches for any security vulnerabilities.
- Do we apply these scripts to 10.8.x or higher environments?
Yes. Esri is recommending that the mitigation scripts are applied to all installations of any version of ArcGIS Enterprise and ArcGIS Server to remove the JndiLookup class. Scripts have been validated for versions 10.6 and above, however they should work for older versions of ArcGIS Enterprise and ArcGIS Server as well.
- We can only download Python 3.10. Will this run the mitigation script?
- Any version 3.5 or higher should be sufficient to run the script.
- Can I simply update the Java class in the software to the latest version?
- Esri does not recommend updating the Java classes manually. Customers are strongly encouraged to use the supplied mitigation scripts.
- After applying the patches we still see the vulnerable log4j file versions on our system. Should we be concerned?
- The scripts remove the JndiLookup class which is the only mitigation measure recommended by Apache Log4j that does not require updating the Log4j version. After applying the mitigation scripts, you will still see vulnerable Log4j version numbers on these systems, however the vulnerable code has been removed.
- After applying the patches we still see the vulnerable log4j file versions on our system. Should we be concerned?
- The scripts remove the JndiLookup class which is the only mitigation measure recommended by Apache Log4j that does not require updating the Log4j version. After applying the mitigation scripts, you will still see vulnerable Log4j version numbers on these systems, however the vulnerable code has been removed.
- Our security scanner returns a positive alert even after running the mitigation scripts. How can we validate the scripts and avoid false positives?
Several security scanners by default perform rudimentary validation of Log4j security issues resulting in false positive critical alerts even after running Esri’s mitigation scripts.
To avoid false positives, make sure the scanner is appropriately configured and your team is looking at the right location/plugin results. Alternatively, you can use a simpler, purpose-built security tool to validate and ensure the issue has been addressed.
- A Tenable security scanner provides numerous plugins to help detect Log4j issues, however default Plugin 156002 only checks the versions of Log4j and therefore creates a false positive critical alert even after running Esri’s mitigation scripts. Direct your team to the Ports sections of Plugin 156001 instead, as it correctly indicates if the Critically vulnerable code has been removed from Log4j and will show: JndiLookup.class association : Not Found
- A LogPresso Log4j Scanner is a free tool listed by the Center of Internet Security for identifying Log4j issues, that correctly identifies if your ArcGIS Enterprise Log4j components have been mitigated for the critical vulnerabilities by default.
The tool requires no install, runs natively on Windows or Linux, typically takes less than two minutes to scan Esri products, and can be executed at a command prompt by simply pointing it to the installation directory (target_path) of any Esri product as follows: log4j2-scantarget_path