UPDATE - ArcGIS and CVE-2021-44228 Apache Log4j
IMPORTANT INFORMATION - PLEASE DO NOT DISCARD
Eagle Technology and Esri continue to actively investigate the impact of the Log4j library vulnerability (CVE-2021-44228) disclosed on December 9, 2021, as some Esri products contain this common logging tool. This update contains the latest information about Esri & Eagle Technology products and we continue to provide updates as new information becomes available.
Last updated 14/12/2021
ArcGIS Enterprise versions 10.7.1 and earlier are potentially vulnerable with active investigations underway to determine exploitability. Customers using these older versions of Enterprise should strongly consider the following mitigation options:
- Upgrade to ArcGIS Enterprise 10.8 or later, as risk is mitigated with these versions – We recommend updating to the latest version of 10.9.1 for the strongest security posture.
- Deploying Web Application Firewall (WAF) rules to filter out offending requests. If you host Enterprise in a cloud provider, you should ensure you enable their latest WAF rule updates, such as those recommended here by Amazon. Alternatively, if you host ArcGIS Enterprise on your own infrastructure then please refer to the documentation here.
Further options for mitigations will be provided as they become available. Patches for supported versions of affected software components and versions will be made available as soon as possible. Related products such as ArcGIS GeoEvent Server contain Log4j and should also have mitigations applied.
Recent releases of ArcGIS Pro contain Log4j but are not known to be exploitable as the software does not listen for remote traffic.
Esri has performed preliminary patching of ArcGIS Online systems and is continuing to evaluate the CVE as well as all relevant third-party fixes as they become available. They will apply the relevant patches in accordance with applicable change management processes.
Eagle Technology’s LocalMaps solution is not affected by the current Log4J vulnerability, and no action is required.
Eagle Technology NZ Basemap Updates
As part of Eagle Technology’s response to this vulnerability, we have taken the precaution of upgrading the infrastructure that hosts our NZ Basemaps (classic) i.e. services.arcgisonline.co.nz/arcgis/rest.
This upgrade involves the following main changes:
ArcGIS Enterprise upgrade (move to version 10.8)
No further support for TLS versions 1.0 or 1.1 (https://support.esri.com/en/technical-article/000019305)
While we do not anticipate any disruption, these changes may impact some environments. Therefore, please get in touch with our Technical Support team if you experience any issues with consuming these basemaps.
Eagle Technology Managed Cloud Services
The Eagle Technology Managed Services Team are working through all of the managed customer environments to apply the appropriate mitigations where required.
Additional information regarding this evolving issue will be provided as there is more to share and can be found on the ArcGIS Enterprise blog.
The Eagle Technology team will be contacting individual customers who may be affected to assist with next steps.
If you have any questions or concerns regarding this issue please contact Eagle Technology GIS Technical Support or your Account Manager who will be able to assist.
Eagle Technology NZ Basemap Ugrades
As part of Eagle Technology’s response to the widespread Log4j library vulnerability (CVE-2021-44228), we have taken the precaution of upgrading the infrastructure that hosts our NZ Basemaps (classic) i.e. services.arcgisonline.co.nz/arcgis/rest.
This upgrade involves the following main changes:
* ArcGIS Enterprise upgrade (move to version 10.8)
* No further support for TLS versions 1.0 or 1.1 (https://support.esri.com/en/technical-article/000019305)
While we do not anticipate any disruption, these changes may impact some environments. Therefore please get in touch with our Technical Support team if you experience any issues with consuming these basemaps.
Emergency Management Support
To better streamline this supporting work, we have introduced a dedicated email contact which is monitored by our specialists within business hours and is designed to assist you in getting specialist GIS support required in an emergency.
Committed to providing excellent customer support
Eagle Technology is committed to providing excellent customer support which exceeds the needs of our user community.
Our Passion and Expertise
Through sharing our GIS passion and expertise, our goal is to promote GIS for everyone and help our customers achieve success with Esri and Eagle Technology.
Eagle Technology GIS Professonal Support offers a range of technical maintenance programs with options designed to meet the needs of users at all levels. Services include:
- Telephone and email technical support
- 24/7 online support
- Software upgrades, service packs and patches
- Publications and newsletters
- EagleTechnology and Esri New Zealand User Group events
A Technical and Experienced Team
Timely and expert assistance for clients current under maintenance. The scope of our technical support services includes advice and assistance in solving problems arising from the use of the software. Where necessary, we can help you inspect and check the software in order to keep it in good operating condition.
Eagle Technology GIS Professional Support is staffed by a highly trained and experienced team with in-depth knowledge of Esri technology and applications in a wide range of environments and industries.
The team follows strict quality standards, regularly tested through customer surveys, with this feedback used to continually enhance our services.