A critical vulnerability in the widely used Java library Log4j, known as Log4Shell, leads to a very critical threat situation, according to the German Federal Office for Information Security (BSI).
VertiGIS products are also affected by the Log4j vulnerability. VertiGIS is working on a solution to the problem and the provision of security updates in the short term. Until then, we recommend that our customers implement the defensive measures recommended by the BSI. In addition, detection and response capabilities should be increased in the short term to adequately monitor the affected systems.
VertiGIS currently recommends for all supported WebOffice versions (10.8 & 10.9) to upgrade to the latest patch as well as the installation of the latest FTS index application (build 8.11.1). These components can be found here:
For all older applications or patch levels the steps below have to be performed.
VertiGIS is currently investigating the impact of the security vulnerability CVE-2021-44228 in the Log4j library, which was announced on December 9, 2021, regarding the WebOffice application and related components with high priority and hereby informs about the current status:
1. ArcGIS Technology
Regarding the ArcGIS technology VertiGIS recommends the official article from Esri Inc:
This Esri Inc. article is updated regularly and VertiGIS recommends checking this Blog post regularly.
ArcGIS 10.7.1 (Enterprise as well as Server standalone) and earlier versions are potentially vulnerable, and further analysis are currently ongoing at Esri Inc. to determine the vulnerability.
Esri Inc. also now recommends "Out of an abundance of caution" that even on current ArcGIS 10.8.1 installations, certain scripts should run. More information about this in the ArcGIS Blog post.
Customers running ArcGIS versions that may be vulnerable are strongly advised to immediately take significant preventive actions for all systems connected to the Internet or for other vulnerable systems.
Esri Inc. will provide appropriate patches for the affected versions as soon as possible.
Esri has prepared Log4Shell mitigation scripts, the application of which to all installations of ArcGIS Enterprise and ArcGIS Server of any version of the software is strongly recommended.
- ArcGIS Server – Also includes mitigation for ArcGIS GeoEvent Server
- Portal for ArcGIS
- ArcGIS Data Store
Esri has started to provide patches for the affected products. For further products and versions the deployment will follow. An overview of the already released and upcoming patches can be found here:
Please check this article regularly for updates. Please also refer to Esri's further notes on patches
2. Servlet Engine Apache Tomcat
Regarding the Apache Tomcat servlet engine, VertiGIS recommends the official Apache Tomcat 9.x security vulnerabilities page:
Currently supported Tomcat versions (8.5.x, 9.0.x, 10.0.x and 10.1.x) have no dependency on any version of log4j.
In a standard installation of Apache Tomcat there is typically no Log4j in the Tomcat\lib directory. If it is there, it was not added during a standard Tomcat installation or during a WebOffice installation.
3. WebOffice Application Server
The analysis on the part of WebOffice development has shown that the WebOffice application is not affected by the vulnerability because the WebOffice application server uses another version of Log4j which is not affected by this vulnerability.
4. WebOffice Full Text Search (FTS Index)
Regarding the WebOffice full-text search (FTS index) VertiGIS recommends the official article of Apache Solr:
Therefore, VertiGIS currently recommends a manual adaption of the full-text search application until an official security update is released.
With the IP filter configured as recommended, there could be no threat even before Apache Solr was adapted.
Necessary steps to adapt the full-text search application:
- Stop the Windows service WebOffice FTS index (port 8983)
- Modify the solr.in.cmd file (to be found in the WebOffice FTS index installation directory, example path: .\Program Files (x86)\VertiGIS\WebOffice FTS index\bin\solr.in.cmd) by adding the following line as follows:
set SOLR_OPTS=%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true
- In a file explorer change to the directory "WebOffice FTS index" of your WebOffice FTS index installation (example path: C:\Program Files (x86)\VertiGIS\WebOffice FTS index).
- In the subdirectory "server\lib\ext" replace the following files - if available - with the corresponding updated files (download link via Apache Software Foundation) by deleting the existing files and copying the new files into the directory:
log4j-api-2. XX.XX.jar by log4j-api-2.17.x.jar
log4j-core-2.XX.XX.jar by log4j-core-2.17.x.jar
log4j-1.2-api-2.XX.XX.jar by log4j-1.2-api-2.17.x.jar
log4j-slf4j-impl-2.XX.XX.jar by log4j-slf4j-impl-2.17.x.jar
log4j-web-2.XX.XX.jar by log4j-web-2.17.x.jar
- After these adjustments start the Windows service WebOffice FTS index (port 8983).
After release of an official patch for the Solr Framework VertiGIS will provide an updated version of WebOffice FTS-Index as download.
In general VertiGIS recommends to keep all software (Windows, ArcGIS, Java, Tomcat, WebOffice, ...) always up to date.
VertiGIS will keep you updated about possible further analysis results from the WebOffice development team.
Update 5 - 02/15/2022, 1:00pm:
- Section 1. ArcGIS Base Technology
- Esri has started to provide patches
Update 4 - 01/12/2022, 10:45am:
- Section 4 WebOffice full-text search (FTS index)
- New download link via Apache Software Foundation for manual update of log4j files in the full-text search application
Update 3 - 12/21/2021, 09:30am:
- Update recommendation to the latest patch (20211220) and the latest FTS-Index-Build
Update 2 - 12/16/2021, 9:30am:
- Section 1. ArcGIS Basic Technology
- New note added
- Added information that a script is now available from Esri Inc.
Update 1 - 12/15/2021, 5:00pm:
- Section 4. full text search (FTS Index):
- Additional adjustment possibility: Replace log4j files in WebOffice FTS index installation directory.