As reported in numerous media, a security vulnerability (CVE-2021-44228) was recently identified in the Apache Log4j library, which was marked with the highest warning level by the BSI.
Various con terra Technologies products use this library and are therefore potentially affected by the vulnerability. We are working intensively on the fix and will inform you continuously in this article.
New releases are available for the following products in the specified version that use Log4j 2.16.0 and close the vulnerability:
- map.apps 4.12.3
- map.apps ETL 4.3.1
- map.apps SDI 5.1.7
- map.apps Smart Search 2.1.2
- map.apps User Management 4.18.3
- security.manager NEXT 1.2.2
- security.manager - Enterprise Edition 4.18.3
- security.manager - ArcGIS Edition 1.6.2
- service.monitor 4.5
- smart.finder 2.1.2
- smart.finder SDI 2.1.2
We recommend installing the new versions immediately.
If this is not possible, please download the following hotfix and apply the steps described in it.
The hotfix is also applicable for the above mentioned product versions to update them to Log4j 2.17.1. This is normally not necessary, as the on Dec 18, 2021 and Dec 28, 2021 newly reported CVEs CVE-2021-45105 and CVE-2021-44832 only affect systems that use a specific configuration of Log4j. The con terra Technologies products are not affected in the default configuration.
The hotfix can be applied to the following product versions (each including the one specified):
- map.apps 4.0.0-PIONEER - 4.12.2
- map.apps ETL 4.1.5 - 4.3.0 (only when using the FME Server Proxy servlet)
- map.apps SDI 5.0.0 - 5.1.5
- map.apps Smart Search 1.5.0 - 2.1.1
- map.apps User Management 4.16.0 - 4.18.2
- security.manager ArcGIS Edition 1.0.0 - 1.6.1
- security.manager Enterprise Edition 4.16.0 - 4.18.2
- security.manager NEXT 1.0.0 - 1.2.2
- service.monitor Analytics 4.3.0 - 4.5.0
- service.monitor Monitoring 4.0.0 - 4.5.0
- smart.finder 1.5.0 - 2.1.1
- smart.finder SDI 1.4.0 - 2.1.1
A previously described workaround (via setting the environment variables) is now no longer considered safe in all cases. With the update to Log4j 2.17.0, the security-critical feature has been removed from the library. Setting the environment variable is therefore obsolete.
Notes on Log4j 1.x
To the best of our knowledge, the vulnerability cannot be exploited when using Log4j 1.x. This version of the library is used e.g. in security.manager Enterprise Edition <4.16, map.apps SDI 4.x, map.apps Smart Search <1.6.0 and smart.finder 1.6.0.
Log4j 1.x does not offer a JNDI lookup (section: "Is log4j 1.x vulnerable?"). However, there is another potential attack vector via a JMS appender if this is used in the logging configuration - but this is not the case in the delivery configuration of the above-mentioned products.
To be on the safe side, you can perform the following steps:
-
Make sure that the Log4j configuration does not use JSMAppender. Please check the files
log4j.xmlanddefault-log4j.xml(if available). You can find them in the folders[INSTALLATION]/WEB-INF/classes. For map.apps Smart Search, this can additionally be located under[data.directory.location]/(e.g.${user.home}/.smartfinder). Make sure that a JSMAppender is not used anywhere here. -
Furthermore, the corresponding class should be completely removed from
log4j-1.2.17.jar- this way you will be on the safe side in case of future configuration changes. Instructions on how to do this can be found in the article referenced above. After changing both files, the Tomcat server must be restarted. -
Optional: For map.apps Smart Search there is also the possibility to update to version 1.6.0 - this is compatible with map.apps line 3. Here Log4j 2.x is used and therefore the described hotfix can be applied.
Information from Esri (ArcGIS) and Safe Software (FME)
- Esri: ArcGIS and CVE-2021-44228 Apache Log4j 2
- Safe Software: Is FME Affected by the Security Vulnerability Reported Against log4j?
Status: 12/28/2021, 11:00 AM