ArcGIS and Apache Log4j Vulnerabilities
/Last Updated 23/12/2021 11:00am GMT
Esri Inc and Esri UK are actively investigating the impact of the Log4j library vulnerability (CVE-2021-44228 and related CVE-2021-45046, CVE-2021-4104, CVE-45105 ) disclosed on December 9 2021, as some Esri Inc and Esri UK products contain this common logging tool. This bulletin contains the latest information about Esri Inc and Esri UK products and will be updated as new information becomes available.
ArcGIS Enterprise
The vulnerability affects some versions of ArcGIS Enterprise. We strongly recommend immediate mitigating actions in these cases. Please refer to the ArcGIS Blog for the most up-to-date guidance on affected versions and associated mitigations.
As with any upgrade or patch, suitable precautions should be taken before taking the recommended mitigation steps in the ArcGIS Blog article (e.g. running the mitigation scripts), and we strongly advise you to consider taking a snapshot image or other backup of your system to revert to if necessary.
ArcGIS Online
Mitigating actions are being applied to ArcGIS Online. Please refer to the ArcGIS Blog for the most up-to-date details.
ArcGIS Desktop Software, Extensions and License Manager
Please refer to the ArcGIS Blog for the latest information.
Esri UK Managed Cloud Services
All Esri UK Managed Cloud Services environments have been updated with the recommended mitigation scripts for Log4j vulnerabilities. Please contact your service delivery manager if further information is required.
Esri UK Products
Sweet for ArcGIS, Utility Network Editor, InstantAtlas, LocatorHub
We have been working to identify any potential vulnerabilities in Esri UK developed products caused by CVE-2021-44228. At this time we do not believe any supported Esri UK products are shipped containing the vulnerable components. As additional testing is carried out, updates will be posted to this blog.
*Note: UK data Loader relies on ArcGIS Pro Data Interoperability Extension, please see the section on Safe Software FME Products below.
Safe Software FME Products
Please refer to the ArcGIS Blog for ArcGIS Data Interoperability Extension and the Safe Software article for details of other FME Products.