How to handle log4j flagged in ArcGIS Portal and Pro directory?

Yogesh_Chavan · ‎10-23-2024

Hello,

Can someone confirm if the below flagged directories with log4j be considered unsafe? We are using ArcGIS Enterprise 11.3 and these components were flagged on the ArcGIS Portal machine.


Directory of C:\Program Files\ArcGIS\Portal\framework\runtime\ds\framework\lib 

log4j-1.2-api.jar


Directory of C:\Program Files\ArcGIS\Portal\framework\runtime\ds\framework\runtime\opensearch\plugins\repository-gcs

log4j-1.2-api-2.20.0.jar


Directory of C:\Program Files\ArcGIS\Portal\framework\runtime\ds\framework\runtime\opensearch\plugins\repository-s3

log4j-1.2-api-2.20.0.jar
               

Directory of C:\Program Files\ArcGIS\Portal\framework\runtime\tomcat\lib

log4j-1.2-api-2.22.1.jar
           

Directory of C:\Program Files\ArcGIS\Pro\bin\Python\envs\arcgispro-py3\Lib\site-packages\saspy\java\iomclient

 log4j-1.2-api-2.19.0.jar          

Directory of C:\Program Files\ArcGIS\Pro\java\runtime\spark\jars

 log4j-1.2-api-2.20.0.jar

ChrisUnderwood · ‎10-24-2024

Hello @Yogesh_Chavan , you don't mention what security scanner you used to generate this list. False positives can be a problem with many scanners. Check whether you are using one of the scanners listed in the Security Scanner False Positives section below.

https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-software-and-cve-2...

View solution in original post

ChrisUnderwood · ‎10-24-2024

Hello @Yogesh_Chavan , you don't mention what security scanner you used to generate this list. False positives can be a problem with many scanners. Check whether you are using one of the scanners listed in the Security Scanner False Positives section below.

https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-software-and-cve-2...

Yogesh_Chavan · ‎10-24-2024

Thank you for the details @ChrisUnderwood, I can check these details with the IT team.