Answer
Summary
This article is intended to answer frequently asked questions regarding the Log4J vulnerability as it pertains to ArcGIS Enterprise products. While not comprehensive, this article will be updated as additional questions arise.
Refer to ArcGIS Blog: ArcGIS and Apache Log4j Vulnerabilities for the latest and most authoritative information.
Frequently Asked Questions
What do the scripts do?
The scripts perform these functions:
- They search for log4j 2.x JARs (Java archives) in the path under which the script is run and enumerate the locations of the JARs discovered.
- They make backups of the JARs discovered.
- They open and remove the JNDIlookup.class from impacted Log4j JAR files.
- They reset the original datestamps on these files.
How do I validate that the script worked as expected?
- Re-run the script with the -list option.
Why are the Log4j version numbers for the JAR files not changed?
- The scripts do not update Log4J. They remove the class that is required to exploit CVE-2021-44288 and CVE-2021-45046.
What about versions earlier than 10.6.0, will the scripts work there?
- Refer to the ArcGIS product life cycle. Customers with software in Mature Support status should be planning upgrades at this point. While the scripts work with earlier versions, only ArcGIS Enterprise versions in General and Extended Support status are validated. Software in Mature or Retired status is not validated.
How should we run Log4Shell mitigation scripts for HA environments?
- Run the scripts on each machine that participates in the site. Run the scripts on files in any shared directories.
Do I need to stop ArcGIS Server, ArcGIS Data Store, ArcGIS Enterprise Portal, ArcGIS GeoEvent Server, and other ArcGIS Server role processes before running the scripts?
Should customers using 10.8.0+ still run the scripts?
Is the JRE used in 10.8.x+ a mitigation?
- No. While Apache initially indicated protections offered by the JRE in those versions was an effective mitigation, this statement was quickly disproven.
Why did the file timestamp not change after I ran the scripts?
- The installers check a couple of things including the date-modified timestamp on the files to help determine if the file will get overwritten or not. Our scripts adjust the timestamps on the files that are changed to help with this.
Where is Python 3.x installed?
- ArcGIS Server: Python 3 is typically installed in your ArcGIS Server directory (commonly C:\Program Files\ArcGIS\Server) under the \framework\runtime\ArcGIS\bin\Python\envs\arcgispro-py3 directory.
- Portal for ArcGIS: Python is installed in your Portal installation directory (commonly C:\Program Files\ArcGIS\Portal) under the \framework\runtime\python directory.
- ArcGIS Data Store does not ship with Python.
Is Esri going to offer formal patches?
Do we still need to run the scripts after the patch is applied?
Do I need to run the script again on Spatiotemporal data stores?
After upgrading Enterprise do I need to re-run the script again (for example, 10.9 to 10.9.1)
Does the script back up Log4j JARs before deleting JNDILookup.class?
- Yes. The script backs up modified JARs. Those are not exploitable in their new format (.bak for Windows and .backup for Linux OS). They can be removed after ArcGIS Enterprise components have been restarted and normal operations have been validated.
Can the script harm my ArcGIS Enterprise site?
- There have been no reproducible instances of the provided scripts harmfully impacting an ArcGIS Enterprise site.
What do I do if my ArcGIS Enterprise site is not working normally after running the scripts?
- Contact Esri Support Services.
After running the provided scripts for GeoEvent server, I still see Log4j JARs in a cache folder. For example, ArcGIS\Server\GeoEvent\data\cache\bundle8\version0.0\bundle.jar
- As a part of the script guidelines for GeoEvent Server we instruct users to delete the contents of the Data folder (including subfolder) when the Windows and Linux services/daemons are stopped. We instruct users to delete all of the contents in the Data folder as opposed to searching in specific bundles.
What do I do if scripts error out due to files copied into /temp while backing up log4j .jars (Windows). For example, OSError: [Winerror 145 The directory is not empty: 'c:\\users\\username\\Appdata\\Local\\temp\\randomstring\\apache\\logging\\log4j\\core\\jmx'?
- Update line 84 in the Python script to read: shutil.rmtree(temp_dir_name, ignore_errors=True).
Does the sequence in which I run these scripts matter? For example, Portal > Server > Data Store versus some other sequence?
Can I update Portal and Server machines now and update the Data Store machine at a later date?
- Yes. If administrative challenges prevent installing Python on the Data Store host, run the scripts for the other ArcGIS Enterprise components.
What do I do if I validate the checksum of the downloaded script and it does not match?
- Be sure you are calculating the script using SHA256. See the Esri technical article: How To: Verify an Esri download using the checksum.
- Be sure to run checksum on the downloaded ZIP file and NOT the extracted script. If the checksum does not then validate, clear your browser cache and re-download the script. If the checksum still doesn't match, do not extract the script. Contact Esri Support Services.