Patches and updates

ArcGIS Server Log4j Patch

Published: February 4, 2022

Summary

This security patch addresses multiple security vulnerabilities found in log4j distributed with ArcGIS Server. Esri recommends that all customers using ArcGIS Server 10.7.1 apply this patch.

Description

EsriĀ® announces the ArcGIS Server Log4j Patch. Esri recommends that all customers using ArcGIS Server 10.7.1 apply this patch. This patch deals specifically with the issue listed below under Issues Addressed with this patch.

Issues Addressed with this patch

To avoid conflicts on 10.7.1 this patch also addresses:
  • BUG-000137668 - Stored XSS vulnerability in ArcGIS Server Services Directory
  • BUG-000137663 - Stored XSS vulnerability in ArcGIS Server
  • BUG-000137662 - Reflected XSS in ArcGIS Server
  • BUG-000137658 - SSRF vulnerability in ArcGIS Server Manager.
  • BUG-000132311 - Unable to view service workspace information in Server Manager when the site's config-store is stored in S3/DynamoDB in AWS
  • BUG-000131992 - Reflected cross-site scripting (XSS) vulnerability in ArcGIS Server.
  • BUG-000130002 - 'GetFolders', 'GetDescriptions', and 'GetDescriptionsEx' requests fail in ArcGIS Server 10.7.1 deployments on Amazon Web Services.
  • BUG-000128892 - Caching with 64 or more instances on a single machine may fail despite sufficient system resources.
  • BUG-000128060 - ArcGIS Server has a Server Side Request Forgery (SSRF) security vulnerability.
  • BUG-000127160 - Error enabling Location Tracking when the configuration store is in the cloud storage.
  • BUG-000127113 - Unable to connect to identity store using Asp.net using ArcGIS Server 10.7. or later after restarting the ArcGIS Server Windows service.
  • BUG-000125331 - CreateReplica with registerExistingData needs to account for service URLs with different machine names for hosted FS
  • BUG-000125214 - Optimize the deletion of services to avoid time-outs on deployments that include a large number of services.
  • BUG-000125044 - Hosted feature service has a stored cross-site scripting (XSS) vulnerability.
  • BUG-000124991 - ArcGIS Server fails to fully import root or intermediate certificates.
  • BUG-000124867 - When attempting to download a managed map area in Collector for ArcGIS, the download fails due to an error that occurs between ArcGIS Server and the ArcGIS Web Adaptor replica access.
  • BUG-000124827 - On a multiple-machine ArcGIS Server site that has one or more cached map services that have been consumed through ArcMap or a SOAP client, publishing a service or stopping/starting a service causes all services on the machines to restart.
  • BUG-000124576 - Starting a map service with a Java SOAP server object extension (SOE) enabled fails with the error "javax/xml/bind/JAXBException".
  • BUG-000124287 - Publishing fails because enterprise database registration fails, even though it appears to work on the UI. This could happen on a machine configuration that has multiple Network cards.
  • BUG-000123103 - ArcGIS Server improperly handles an incorrect CORS origin.
  • BUG-000122285 - Scalability of 3D Scene Service is impeded by frequent reads/writes to the config store and directories.
  • BUG-000120535 - In the Operations Dashboard for ArcGIS serial chart in Portal for ArcGIS, sorting data by statistics in the Data Options configuration returns the warning message, "Cannot Access Data."

Installing this patch on Windows

Installation Steps:

The ArcGIS product listed in the table must be installed on your system before you can install a patch. Each patch setup is specific to the ArcGIS product in the list. To determine which products are installed on your system, please see the How to identify which ArcGIS products are installed section. Esri recommends that you install the patch for each product that is on your system.

  1. Download the appropriate file to a location other than your ArcGIS installation location.

    ArcGIS Enterprise 10.7.1  
       
    ArcGIS Server ArcGIS-1071-S-Log4j-Patch.msp
         Checksum
         (SHA256)    		 0452839CCE85C7B1EB68C91EC031ACEF5537A4968A579FEBBBDA238C096AFD9C
       

  2. Make sure you have write access to your ArcGIS installation location.
  3. Double-click ArcGIS-1071-S-Log4j-Patch.msp to start the setup process.

    NOTE: If double clicking on the MSP file does not start the setup installation, you can start the setup installation manually by using the following command:

    msiexec.exe /p [location of Patch]\ArcGIS-1071-S-Log4j-Patch.msp
     

Installing this patch on Linux

Installation Steps:

Complete the following install steps as the ArcGIS Install owner. The Install owner is the owner of the arcgis folder.

The ArcGIS product listed in the table must be installed on your system before you can install a patch. Each patch setup is specific to the ArcGIS product in the list. To determine which products are installed on your system, please see the How to identify which ArcGIS products are installed section. Esri recommends that you install the patch for each product that is on your system.

  1. Download the appropriate file to a location other than your ArcGIS installation location.

    ArcGIS Enterprise 10.7.1  
       
    ArcGIS Server ArcGIS-1071-S-Log4j-Patch-linux.tar
         Checksum
         (SHA256)    		 4584DDE9F744A20A6F94DB1604976F998B7FAF95CA2F6795128E5E742A28E1DB
       

  2. Make sure you have write access to your ArcGIS installation location, and that no one is using ArcGIS.
  3. Extract the specified tar file by typing:

    % tar -xvf ArcGIS-1071-S-Log4j-Patch-linux.tar
     
  4. Start the installation by typing:

    % ./applypatch

    This will start the dialog for the menu-driven installation procedure. Default selections are noted in parentheses ( ). To quit the installation procedure, type 'q' at any time.

Upgrade a geodatabase

When a hotfix or patch for ArcGIS has been applied, it may also be necessary to upgrade your geodatabase. See the Upgrade the Geodatabase section on the Geodatabase management page for your individual DBMS platform for more information.

Uninstalling this patch on Windows

  • To uninstall this patch on Windows, open the Windows Control Panel and navigate to installed programs. Make sure that "View installed updates" (upper left side of the Programs and Features dialog) is active. Select the patch name from the programs list and click Uninstall to remove the patch.

Uninstalling this patch on Linux

  • To remove this patch on versions 10.7 and higher, navigate to the <Product Installation Directory>/.Setup/qfe directory and run the following script as the ArcGIS Install owner:

    ./removepatch.sh

    The removepatch.sh script allows you to uninstall previously installed patches or hot fixes. Use the -s status flag to get the list of installed patches or hot fixes ordered by date. Use the -q flag to remove patches or hot fixes in reverse chronological order by date they were installed. Type removepatch -h for usage help.

  • Restart your ArcGIS services

Patch Updates

Check the Patches and Service Packs page periodically for the availability of additional patches. New information about this patch will be posted here.

How to identify which ArcGIS products are installed

To determine which ArcGIS products are installed, choose the appropriate version of the PatchFinder utility for your environment and run it from your local machine. PatchFinder will list all products, hot fixes, and patches installed on your local machine.

Getting Help

Domestic sites, please contact Esri Technical Support at 1-888-377-4575, if you have any difficulty installing this patch. International sites, please contact your local Esri software distributor.


Download ID:7975

Get help from ArcGIS experts

Contact technical support

Download the Esri Support App

Go to download options