log4j Default Python Install - saspy

528
1
12-16-2021 08:42 AM
AndrewAdamson
New Contributor II

log4j is showing up in our security scans under the default python install:
C:\Program Files\ArcGIS\Pro\bin\Python\envs\arcgispro-py3\Lib\site-packages\saspy\java\iomclient

Does this fall under the ESRI response for pro:
Recent releases of ArcGIS Pro contain Log4j but are not known to be exploitable as the software does not listen for remote traffic.

Is there any concern in removing this package from our user base install? Our security team is not happy with the ESRI response and want this removed.

Tags (1)
1 Reply
Robert_LeClair
Esri Frequent Contributor

Caveat - I do not work for Esri Software are Security Team rather Training Services:  I found this blog article addressing log4j - ArcGIS and Apache Log4j Vulnerabilities (esri.com)

Hope this helps.