Community

log4j Default Python Install - saspy

978
1
12-16-2021 08:42 AM
AndrewAdamson
by
New Contributor II
‎12-16-2021 08:42 AM

log4j is showing up in our security scans under the default python install:
C:\Program Files\ArcGIS\Pro\bin\Python\envs\arcgispro-py3\Lib\site-packages\saspy\java\iomclient

Does this fall under the ESRI response for pro:
Recent releases of ArcGIS Pro contain Log4j but are not known to be exploitable as the software does not listen for remote traffic.

Is there any concern in removing this package from our user base install? Our security team is not happy with the ESRI response and want this removed.

Tags (1)
1 Reply
Robert_LeClair
by Esri Notable Contributor
Esri Notable Contributor
‎12-16-2021 08:50 AM

Caveat - I do not work for Esri Software are Security Team rather Training Services:  I found this blog article addressing log4j - ArcGIS and Apache Log4j Vulnerabilities (esri.com)

Hope this helps.