Hi Everyone,
I'm just following on from the fun, excitement that was and continues to be the Log4j Vulnerabilities and the following cyber security team scanning of additional risks relating to this.
As raised by @Pei-SanTsai in this incredibly useful thread there are also 1.x versions of log4j showing up on security scans as it achieved End Of Life (EOL) back in 2015. @RandallWilliams indicated there are dependencies within Enterprise components, such as "Zookeeper" and "ElasticSearch" that may still require these libraries in order to function as expected.
I've not been able to find any official word from Esri relating to this as the focus has rightly been on the exploit discovered in version 2, only in the Esri vulnerability guidance that:
"Base ArcGIS Enterprise components do not utilize and are therefore not vulnerable to:
– Log4j 1.2 JMSAppender – CVE-2021-4104"
From what we've been advised there may still be an exploit in the version that exists within zookeeper (we're on AGS 10.8.1):
It does seem to still be relevant for versions 1.2 --> 1.2.17 as in Apache's EOL reference and the associated CVE-2019-17571.
Are there any mitigations known for this that could be implemented, without affecting Enterprise environments? Current requests from security team are to delete or rename these files, but hopefully there is a better solution out there.
Thanks!
Dean