Select to view content in your preferred language

Log4J version update?

02-02-2022 11:35 AM
New Contributor

Hello all,

I'm just curious if ESRI is planning to include a Log4J version update in any upcoming releases/patches? Our leadership has determined that we cannot leave systems online that have Log4J < 2.17 regardless of whether the system can actually be exploited. I'm hoping with a forecasted patch we can keep our systems online knowing that a fix is coming down the pipeline. 

Thanks so much!

0 Kudos
4 Replies
New Contributor

Thank you! I have reviewed that in the past. Unfortunately our leadership is being rather tone-deaf to the actual exploitability of the vulnerability and only cares about the version number. I did review our 1560001 plugin out of Nessus and it confirms the JNDI lookup class does not exist. If only that were enough.

0 Kudos
Esri Regular Contributor

Hey there @hkrebs95, We have put out communication on this here:

For mitigation efforts and updates. While I cannot comment on version numbers, I know there are efforts underway to address these concerns. Please reach out to our security team here: with any additional questions.

Keep on keeping on!
0 Kudos
Occasional Contributor

ArcGIS Enterprise security patches will be released throughout Q1 2022, with more specific dates posted here as the effort progresses.



0 Kudos