topic log4j Default Python Install - saspy in ArcGIS Pro Questions https://community.esri.com/t5/arcgis-pro-questions/log4j-default-python-install-saspy/m-p/1126765#M49094 <P>log4j is showing up in our security scans under the default python install:<BR /><SPAN>C:\Program Files\ArcGIS\Pro\bin\Python\envs\arcgispro-py3\Lib\site-packages\saspy\java\iomclient</SPAN><BR /><BR />Does this fall under the ESRI response for pro:<BR /><EM>Recent releases of ArcGIS Pro contain Log4j but are not known to be exploitable as the software does not listen for remote traffic.<BR /><BR /></EM>Is there any concern in removing this package from our user base install? Our security team is not happy with the ESRI response and want this removed.</P> Thu, 16 Dec 2021 16:42:35 GMT AndrewAdamson 2021-12-16T16:42:35Z log4j Default Python Install - saspy https://community.esri.com/t5/arcgis-pro-questions/log4j-default-python-install-saspy/m-p/1126765#M49094 <P>log4j is showing up in our security scans under the default python install:<BR /><SPAN>C:\Program Files\ArcGIS\Pro\bin\Python\envs\arcgispro-py3\Lib\site-packages\saspy\java\iomclient</SPAN><BR /><BR />Does this fall under the ESRI response for pro:<BR /><EM>Recent releases of ArcGIS Pro contain Log4j but are not known to be exploitable as the software does not listen for remote traffic.<BR /><BR /></EM>Is there any concern in removing this package from our user base install? Our security team is not happy with the ESRI response and want this removed.</P> Thu, 16 Dec 2021 16:42:35 GMT https://community.esri.com/t5/arcgis-pro-questions/log4j-default-python-install-saspy/m-p/1126765#M49094 AndrewAdamson 2021-12-16T16:42:35Z Re: log4j Default Python Install - saspy https://community.esri.com/t5/arcgis-pro-questions/log4j-default-python-install-saspy/m-p/1126770#M49095 <P>Caveat - I do not work for Esri Software are Security Team rather Training Services:&nbsp; I found this blog article addressing log4j -&nbsp;<A href="https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-software-and-cve-2021-44228-aka-log4shell-aka-logjam/" target="_blank">ArcGIS and Apache Log4j Vulnerabilities (esri.com)</A></P><P>Hope this helps.</P> Thu, 16 Dec 2021 16:50:30 GMT https://community.esri.com/t5/arcgis-pro-questions/log4j-default-python-install-saspy/m-p/1126770#M49095 Robert_LeClair 2021-12-16T16:50:30Z