Apache Log4j vulnerability CVE-2021-44228
A recently documented vulnerability in the java library log4j has raised many concerns. The Geocortex team has reviewed our entire code base and confirmed that Log4J 2.x is not used anywhere by any Geocortex product.
The version of log4j that is included with Geocortex Essentials and Geocortex Analytics is not vulnerable to CVE-2021-44228.
Geocortex products do not require patching to address CVE-2021-44228.
Customizations to Geocortex software are not made using Java, so they cannot reference log4j or include the vulnerable library.
Since Geocortex products make use of ArcGIS products, customers may need to apply Esri security patches to address the vulnerability. Please refer to Esri's guide on CVE-2021-44228, here: https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-software-and-cve-2021-44228-aka-log4shell-aka-logjam/
-
Does this mean Log4J is in Geocortex Essentials and Geocortex Analytics but is an older version? If so what versions are Geocortex Essentials and Analytics using?
Thanks
0 -
Hi Mark,
Log4j 1.2.17 is used by all supported versions of Geocortex Essentials and Geocortex Analytics. This version is confirmed to be not vulnerable to the Log4Shell attack. While this 1.x library is no longer supported by the open source community, it does not impose a security vulnerability to applications that use it. As VertiGIS reviews 3rd party dependencies on open source products, we make decisions to upgrade those when doing so would resolve an issue (either security related or otherwise), provide additional value in the product offering, or enable us to better support our customers. We continue to provide support for Geocortex offerings that may reference open source libraries that are no longer supported by the community, and we are not aware of security vulnerabilities or value propositions that would necessitate an upgrade of those libraries.
Regards,
-Malcolm
0 -
Hi,
If we have external WAN to LAN rule in place to allow Geocortex Essentials sites to show externally. With these sites pointing to internal mapping services on ESRI 10.4.1 application server. Is there impact/risk on the apache/log4j service on the ESRI 10.4.1 server that is vulnerable from allowing rule to show geocortex sites external with 10.4.1 map services in it ?
Thanks
0 -
Hello,
While checking our vulnerability, our IT department discovered an older vulnerability for Log4J 1.2. Is this a security risk for using Geocortex products?
https://nvd.nist.gov/vuln/detail/CVE-2019-17571
Regards,
Geert
0 -
@Malcolm Walker? the post from @Geert Claessens? raises a very valid question; since the version IN USE is also compromised.
0 -
Hi All,
We have also conducted internal testing of all Geocortex products and though the log4j library is included in Geocortex Core, it does not reference the library in a way that could be vulnerable, as confirmed by code reviews and execution of a vulnerability scanner.
Thanks, Stefan
0 -
Hi @Stefan Schweigert?, may I just confirm explicitly that when you say "this library" in your above post that you are referring to the 1.x library.
Thank you,
Vanessa
0 -
Hi Vanessa,
Yes, that's correct.
Thanks, Stefan
0 -
Given the recent additional vulnerabilities discovered in Log4j - Does VertiGIS still believe that Geocortex Essentials is not vulnerable to a Log4j exploit? Can Log4j be uninstalled from Geocortex Essentials? If not - can Log4j be upgraded to 2.17.0?
Thanks, Dan
0 -
Hi Dan,
We've re-run our security tests after the announcement about 2.16 and again found no issues with the version currently in use by Core.
Thanks, Stefan
1
Bitte melden Sie sich an, um einen Kommentar zu hinterlassen.
Kommentare
10 Kommentare