ArcGIS_LogHarvester.psm1 and log4j

[scma-esrich]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request

Module Version

• 3.3.0

Affected Resource(s)

• ArcGIS_LogHarvester

Configuration Files

# Copy-paste your DSC JSON configurations here - for large configs,
# please use a service like Dropbox and share a link to the ZIP file.

N/A

Expected Behavior

Actual Behavior

N/A

Steps to Reproduce

N/A

Important Factoids

N/A

References

In the DSC-resource "ArcGIS_LogHarvester" there is a reference to log4j. To my understanding, the ArcGIS-module is as secure as the corresponding ArcGIS-version against the log4shell-vulnerability. Is this assumption correct?

Can you please give us a statement about the log4j-use within the DSC-module and its potential (additional) log4shell-vulnerability?

Thanks in advance!

[scma-esrich]

@niol-esrich and @spitzerr

[cameronkroeker]

Hi @scma-esrich,

The DSC resource "ArcGIS_LogHarvestor" in the ArcGIS Module doesn't package log4j, therefore yes your assumption is correct, any mitigation against ArcGIS components should be enough.

Thanks, Cameron K.

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.