FirstWatch Technical Advisory:
Log4Shell / Log4j
Dear FirstWatch System Administrators,
Please share this information with other users as needed:
On Thursday, November 9th, this vulnerability was announced, and though we do not use the affected software, out of an abundance of caution, we immediately updated our firewall configurations to block any activity attempting to exploit this vulnerability. When we did that, this effectively became a non-issue for our systems, and for any customers or systems accessing FirstWatch.
However, we, like many public safety agencies and vendors, use ESRI mapping functions within our system, and ESRI later identified a vulnerability (https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-software-and-cve-2021-44228-aka-log4shell-aka-logjam/). ESRI recommended updating firewall rules (which we had done on day zero, and recommended to upgrade to the latest version of their software. We started that today, and should be complete by tonight, after which we’ll be able to test functionality to ensure the upgrade didn’t break anything new. The worst case scenario would be that ESRI’s web servers become compromised, and some of our GIS-related functionality could temporarily be unavailable. ESRI is on top of this on their end, and we don’t expect this to happen, but we will notify all customers immediately if it does.
Thank you and stay safe.