Log4Shell Vulnerability and ArcGIS Products
The Log4Shell vulnerabilities (CVE-2021-44228, CVE-2021-45046) are critical security vulnerabilities in version 2 of the Apache Log4j library. This library is widely used across many software products from many vendors, including Esri products. Esri is actively engaged on this evolving topic.
Esri has published a blog post on the ArcGIS Trust Center that reflects the currently available information for all ArcGIS products, including ArcGIS Online, ArcGIS Pro, and ArcGIS Enterprise. This blog is your go-to resource as Esri addresses the Log4Shell vulnerabilities, and it will be updated regularly as new information and guidelines are made available.
ArcGIS Enterprise customers should carefully review the blog's guidelines and are highly encouraged to take action to mitigate potential risk from this vulnerability. At this time, no action is needed from customers regarding other ArcGIS products, but we encourage you to stay current on future updates.
Please read on for more information specifically regarding ArcGIS Enterprise.
Several ArcGIS Enterprise components contain the vulnerable Log4j library. However, at this time, there is no known exploit available for any version of a base ArcGIS Enterprise deployment (including the ArcGIS Server, Portal for ArcGIS, and ArcGIS Data Store components) or for a stand-alone ArcGIS Server site.
Out of an abundance of caution, Esri has created a script that removes the vulnerable code from each of these ArcGIS Enterprise components across all currently supported versions of ArcGIS Enterprise.
We recommend that all ArcGIS Enterprise customers take action to ensure that the Log4Shell vulnerabilities are removed from their ArcGIS Enterprise and ArcGIS Server environments by following the steps outlined in the ArcGIS Trust Center blog post.
If you have additional questions after reviewing this guidance, please contact Esri China (HK) Technical Support via firstname.lastname@example.org or 37685909.