FirstWatch Technical Advisory:
Log4Shell / Log4j

Dear FirstWatch System Administrators,

Please share this information with other users as needed: 

There is a internet vulnerability called Log4Shell or Log4j that is affecting many sites on the Internet (https://techcrunch.com/2021/12/13/the-race-is-on-to-patch-log4shell-as-attacks-begin-to-rise/), and we want to provide a quick update to assure our customers that this issue does not directly apply to FirstWatch systems, including our subscriber sites, marketing sites, or any FirstWatch software.
 
On Thursday, November 9th, this vulnerability was announced, and though we do not use the affected software, out of an abundance of caution, we immediately updated our firewall configurations to block any activity attempting to exploit this vulnerability. When we did that, this effectively became a non-issue for our systems, and for any customers or systems accessing FirstWatch.
 
However, we, like many public safety agencies and vendors, use ESRI mapping functions within our system, and ESRI later identified a vulnerability (https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-software-and-cve-2021-44228-aka-log4shell-aka-logjam/). ESRI recommended updating firewall rules (which we had done on day zero, and recommended to upgrade to the latest version of their software. We started that today, and should be complete by tonight, after which we’ll be able to test functionality to ensure the upgrade didn’t break anything new. The worst case scenario would be that ESRI’s web servers become compromised, and some of our GIS-related functionality could temporarily be unavailable. ESRI is on top of this on their end, and we don’t expect this to happen, but we will notify all customers immediately if it does.
 
If you have any questions, please email me (tstout@firstwatch.net) or call my cell (858-395-1728) directly, or email support@firstwatch.net, and we’ll be happy to help.
 
Thank you and stay safe.
 
Todd Stout
President
FirstWatch