The Log4Shell vulnerability (CVE-2021-44228) is a critical security vulnerability in version 2 of the log4j library. ArcGIS Workflow Manager Server does use an impacted version 2 of log4j at version 10.9.1 only, earlier versions of Workflow Manager Server do not use log4j and are therefore unaffected by this vulnerability. This article provides steps to mitigate the risk of exploitation. Esri is working towards a patch, but this mitigation script can be used immediately on ArcGIS Workflow Manager Server version 10.9.1.
Note: Esri recommends installing the patches for this vulnerability as they become available. Please check the ArcGIS Enterprise Log4j Patch Summary Page.
How This Script Works:
This script implements a widely documented industry approach of modifying version 2 log4j libraries to remove the JndiLookup.class file from the “core” log4j jar file so that the vulnerability can’t be exploited. This script identifies all locations in ArcGIS Workflow Manager Server where the class files reside and then removes those class files. The script has two implementations – one for Linux and one for Windows. These same scripts can be used against ArcGIS Server, ArcGIS Data Store, and Portal for ArcGIS, so if you have downloaded the log4shellmitigation script for those products then you can re-use it for these steps.
To verify the version of Python you are running, open a command prompt and type the following:
<full path to Python>\python.exe –version
Note: Esri recommends verifying that you have the correct download before running these scripts. To do so, run checksum on the downloaded zip files and verify that the hash is identical to that shown in the table below. Do not extract the script prior to running checksum. For more information about running checksum, see the following article: How To: Verify an Esri download using the checksum If the file hash does not match with what is shown below, clear your browser cache and download the file again.
|Operating system||File name||Hash|
The following steps work for ArcGIS Workflow Manager Server version 10.9.1
<full path to Python>\python.exe log4shellmitigation.py --list <ArcGIS Server install directory>
Here’s an example of the command:
"C:\Program Files\ArcGIS\Server\framework\runtime\ArcGIS\bin\Python\envs\arcgispro-py3\python.exe" log4shellmitigation.py -l "C:\Program Files\ArcGIS\Server"
This lists all the files that will be changed. Make note of these locations in case you want to revert the changes later.
Note: The ArcGIS Server install directory is commonly "C:\Program Files\ArcGIS\Server". If the path to Python or the ArcGIS Server installation has spaces in it, please put quote marks (") around the path. Note that the command flag is -l (dash lowercase ell), missing a dash or inserting a space will cause the command to fail.
Executing the script
<full path to Python>\python.exe log4shellmitigation.py --delete <server directory>
Here’s an example of the command:
"C:\Program Files\ArcGIS\Server\framework\runtime\ArcGIS\bin\Python\envs\arcgispro-py3\python.exe" log4shellmitigation.py --delete "c:\Program Files\ArcGIS\Server"
This is the command that is modifying the JAR files so that log4shell cannot be exploited.
If there are any problems and it is necessary to roll back the changes, please contact Esri Technical Support for assistance.
The following steps work for ArcGIS Workflow Manager Server version 10.9.1.
For example, if ArcGIS Server was installed in /opt/arcgis/server then you would need to place the script in the /opt/arcgis directory.
Note: If you have multiple ArcGIS Enterprise products installed on the same machine with the same parent directory and you have already run the log4shellmitigation.sh script from that same location, it is not necessary to run again. Running the script from a parent directory will apply it to all products that share the same parent directory.
chmod 500 log4shellmitigation.sh
This lists all the files that will be modified. No backup of these files will be made by this script. If you wish to back up these original files, do so now by copying them to some other location.
If there are any problems and you wish to roll back the changes, please contact Esri Technical Support for assistance.