A critical vulnerability in the widely used Java library Log4j, called Log4Shell, leads to a very critical threat situation according to the German Federal Office for Information Security (BSI).
VertiGIS products (UT Bausauskunft, UT Integrator, ...) are also affected by the vulnerability in Log4j. VertiGIS is working on a solution to the problem and providing security updates in the short term. Until then, we recommend our customers to implement the defensive measures recommended by BSI. In addition, detection and response capabilities should be increased in the short term to adequately monitor affected systems.
In the meantime another Log4J vulnerability CVE-2021-45105, has been published. This is independent of the previous issue and is also not as serious. Nevertheless, it is recommended to update to Log4J 2.17, in which this issue is resolved. We have therefore tested the use of Log4J 2.17 with our products and found no problems.
Please follow this post to be informed about current information.
Not affectet products:
- UT Desktop Suite (UT Editor, UT Asset Manager, ...)
- UT Server Suite (but ArcGIS Server as base product see below)
- UT WebApp
- Plot / WMPS
WMPS uses Log4J 1.2, which is not directly affected by CVE-2021-44228.
However, a similar vulnerability, CVE-2021-4104, exists for Log4J 1.2, but it only becomes apparent with a specific configuration that is not used by default in WMPS. Therefore, WMPS is normally not affected by CVE-2021-4104.
To ensure this, we recommend examining the log4j.properties configuration file, which must not contain the following string:
log4j.appender.jms=org.apache.log4j.net.JMSAppender.
If this string is still included, we recommend removing it and restarting Apache Tomcat.
Affected Products:
- UT CBYD
Instruction for action for UT CBYD:
- Download the provided Log4J libraries (Log4J_2.17.0.zip)
- Stop the Tomcat
- Replace each of the following files in ...\BauAuskunftUrm\WEB-INF\lib and in ...\BauAuskunftService\WEB-INF\lib with the files for version 2.17.0 in the download
- log4j-api-2.11.0.jar
- log4j-core-2.11.0.jar
- log4j-web-2.11.0.jar
- Restart the Tomcat
-
UT CBYD URM uses Log4J 1.2, which is not directly affected by CVE-2021-44228.
However, a similar vulnerability, CVE-2021-4104, exists for Log4J 1.2, but it only becomes apparent with a specific configuration that is not used by default in UT CBYD URM. Therefore, UT CBYD URM is normally not affected by CVE-2021-4104.
To ensure this, we recommend examining the log4j.properties configuration file, which must not contain the following string:
log4j.appender.jms=org.apache.log4j.net.JMSAppender.
If this string is still included, we recommend removing it and restarting Apache Tomcat.
- Download the provided Log4J libraries (Log4J_2.17.0.zip)
-
UT AppConnector
Instruction for action for AppConnector:
-
- Download the provided Log4J libraries (Log4J_2.17.0.zip).
- Stop the Tomcat
- Replace each of the following files in WEB-INF/lib with the files for version 2.17.0 in the download
- log4j-api-2.8.0.jar
- log4j-core-2.8.0.jar
- log4j-web-2.8.0.jar
- log4j-1.2-api-2.8.0.jar
- Restart the Tomcat
- Download the provided Log4J libraries (Log4J_2.17.0.zip).
-
- UT Integrator
Instruction for action for UT Integrator:
- Download the provided Log4J libraries (Log4J_2.17.0.zip).
-
Stop the Tomcat
-
Replace the following files in [TOMCAT]webapps/utpostserver/web-inf/lib respectively with the files for version 2.17.0 in the download
-
log4j-api-2.x.x.jar
-
log4j-core-2.x.x.jar
-
log4j-web-2.x.x.jar
-
-
Restart the Tomcat
-
-
The log4j libs are also included in the UT Integrator SOE file. Regarding an update of the SOE we will contact affected customers directly. We recommend to protect the map service in ArcGIS Server with the UT Integrator SOE by user/password. The authentication must then be entered accordingly in UT Integrator:
- Download the provided Log4J libraries (Log4J_2.17.0.zip).
Notes for partner products:
- Esri:
Regarding ArcGIS base technology, VertiGIS recommends the official article from Esri Inc:
ArcGIS Software and CVE-2021-44228 (esri.com).
Advice
This Esri Inc. article is continuously updated and VertiGIS recommends checking this post regularly.
Esri Inc. also now recommends "Out of an abundance of caution" that even on current ArcGIS 10.8.1 installations, certain scripts should run. More information about this in the ArcGIS Blog post.
ArcGIS 10.7.1 (Enterprise as well as Server standalone) and earlier versions are potentially vulnerable, and further analysis is underway at Esri Inc. to determine the vulnerability.
Customers running ArcGIS versions that may be vulnerable are strongly advised to immediately take comprehensive defensive measures for all systems connected to the Internet or for other vulnerable systems.
Esri Inc. will accordingly provide appropriate patches for the affected versions as soon as possible.Esri has created Log4Shell mitigation scripts that are strongly recommended to be applied to all installations of ArcGIS Enterprise and ArcGIS Server of any version of the software.
Detailed informationen:
- ArcGIS Server – Also includes mitigation for ArcGIS GeoEvent Server
- Portal for ArcGIS
- ArcGIS Data Store
Esri has started to provide patches for the affected products. For further products and versions the deployment will follow. An overview of the already released and upcoming patches can be found here:
https://support.esri.com/en/download/7964
Please check this article regularly for updates. Please also refer to Esri's further notes on patches
ArcGIS Enterprise Log4j Security Patches Available
- Baral
Critical vulnerability in log4j published (CVE-2021-44228) in the context of Baral products - CADMAP
General information
Customer Area
Update 1: 13.12.2021:
- Listing of affected and not affected products
- Notes for UT CBYD, UT AppConnector and UT Integrator
- Notes for partner products
Update 2: 14.12.2021
- Update Link BSI
Update 3: 14.12.2021
- Update hints UT CBYD
Update 4: 15.12.2021
- Notes on UT CBYD, UT AppConnector and UT Integrator - Update to 2.16
- Notes on products from CADMAP
Update 5: 16.12.2021
- Update for Esri
Update 6: 17.12.2021
- Notes Plow/WMPS
- Notes UT CBYD URM
- Update Notes UT Integrator
Update 7: 21.12.2021
- Update concerning CVE-2021-45105
Update 8: 15.02.2022
- Esri has started providing Patches
Comments
2 comments
Update 7: 21.12.2021
Update 8: 15.02.2022
Please sign in to leave a comment.