{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2021-072.pdf"
    },
    "title": "ArcGIS Critical Vulnerability",
    "serial_number": "2021-072",
    "publish_date": "16-12-2021 19:20:00",
    "description": "On December 16th, Esri updated its blog post related to CVE-2021-44228 affecting ArcGIS products, especially ArcGIS Enterprise and ArcGIS Server. While this CVE affects the Java logging library \"log4j\", all products using this library are vulnerable to Unauthenticated Remote Code Execution.<br>ArcGIS Enterprise components contain the vulnerable log4j library. However, Esri specifies in its blog post that there is no known exploit available for any version of a base ArcGIS Enterprise deployment or stand-alone ArcGIS Server at this time. Still, ESRI released a Log4Shell mitigation scripts that fully address CVE-2021-44228.",
    "url_title": "2021-072",
    "content_markdown": "---\ntitle: 'ArcGIS Critical\u00a0Vulnerability'\nversion: '1.0'\nnumber: '2021-072'\ndate: 'December 16, 2021'\n---\n\n_History:_\n\n* _16/12/2021 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn December 16th, Esri updated its blog post related to CVE-2021-44228 affecting ArcGIS products, especially ArcGIS Enterprise and ArcGIS Server [1]. While this CVE affects the Java logging library `log4j`, all products using this library are vulnerable to Unauthenticated Remote Code Execution [2].\n\nArcGIS Enterprise components contain the vulnerable log4j library. However, Esri specifies in its blog post that there is no known exploit available for any version of a base ArcGIS Enterprise deployment or stand-alone ArcGIS Server at this time. Still, ESRI released a Log4Shell mitigation scripts that fully address CVE-2021-44228.\n\n# Technical Details\n\nThe vulnerability exists in the Java logging library log4j. An unauthenticated remote attacker might exploit this vulnerability by sending specially crafted content to the application to execute malicious code on the server [2].\n\n# Affected products\n\nAll versions of ArcGIS Enterprise and ArcGIS Server are vulnerable.\n\nNotes:\n\n- ArcGIS Monitor does not contain Log4j library, therefore, it is not vulnerable.\n- ArcGIS Pro contains log4j library but the vulnerability cannot be exploited since the software does not listen for remote traffic.\n\n# Recommendations\n\nEsri recommends to apply the mitigation script to all installations of ArcGIS Enterprise and ArcGIS Server of any version of the software as soon as possible. Note that the mitigation script only removes the vulnerable `JndiLookup` class, thereby the vulnerable log4j library version will still be present on the systems.\n\nThe instructions to run the mitigation script according to the products can be found here:\n\n- ArcGIS Server: <https://support.esri.com/Technical-Article/000026951>\n- Portal for ArcGIS: <https://support.esri.com/Technical-Article/000026950>\n- ArcGIS Data Store: <https://support.esri.com/Technical-Article/000026949>\n- ArcGIS GeoEvent Server: <https://support.esri.com/Technical-Article/000026956>\n\n# References\n\n[1] <https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-software-and-cve-2021-44228-aka-log4shell-aka-logjam/>\n\n[2] <https://media.cert.europa.eu/static/SecurityAdvisories/2021/CERT-EU-SA2021-067.pdf>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>16/12/2021 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On December 16th, Esri updated its blog post related to CVE-2021-44228 affecting ArcGIS products, especially ArcGIS Enterprise and ArcGIS Server [1]. While this CVE affects the Java logging library <code>log4j</code>, all products using this library are vulnerable to Unauthenticated Remote Code Execution [2].</p><p>ArcGIS Enterprise components contain the vulnerable log4j library. However, Esri specifies in its blog post that there is no known exploit available for any version of a base ArcGIS Enterprise deployment or stand-alone ArcGIS Server at this time. Still, ESRI released a Log4Shell mitigation scripts that fully address CVE-2021-44228.</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability exists in the Java logging library log4j. An unauthenticated remote attacker might exploit this vulnerability by sending specially crafted content to the application to execute malicious code on the server [2].</p><h2 id=\"affected-products\">Affected products</h2><p>All versions of ArcGIS Enterprise and ArcGIS Server are vulnerable.</p><p>Notes:</p><ul><li>ArcGIS Monitor does not contain Log4j library, therefore, it is not vulnerable.</li><li>ArcGIS Pro contains log4j library but the vulnerability cannot be exploited since the software does not listen for remote traffic.</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>Esri recommends to apply the mitigation script to all installations of ArcGIS Enterprise and ArcGIS Server of any version of the software as soon as possible. Note that the mitigation script only removes the vulnerable <code>JndiLookup</code> class, thereby the vulnerable log4j library version will still be present on the systems.</p><p>The instructions to run the mitigation script according to the products can be found here:</p><ul><li>ArcGIS Server: <a rel=\"noopener\" target=\"_blank\" href=\"https://support.esri.com/Technical-Article/000026951\">https://support.esri.com/Technical-Article/000026951</a></li><li>Portal for ArcGIS: <a rel=\"noopener\" target=\"_blank\" href=\"https://support.esri.com/Technical-Article/000026950\">https://support.esri.com/Technical-Article/000026950</a></li><li>ArcGIS Data Store: <a rel=\"noopener\" target=\"_blank\" href=\"https://support.esri.com/Technical-Article/000026949\">https://support.esri.com/Technical-Article/000026949</a></li><li>ArcGIS GeoEvent Server: <a rel=\"noopener\" target=\"_blank\" href=\"https://support.esri.com/Technical-Article/000026956\">https://support.esri.com/Technical-Article/000026956</a></li></ul><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-software-and-cve-2021-44228-aka-log4shell-aka-logjam/\">https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-software-and-cve-2021-44228-aka-log4shell-aka-logjam/</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://media.cert.europa.eu/static/SecurityAdvisories/2021/CERT-EU-SA2021-067.pdf\">https://media.cert.europa.eu/static/SecurityAdvisories/2021/CERT-EU-SA2021-067.pdf</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}