log4j is showing up in our security scans under the default python install:
Does this fall under the ESRI response for pro:
Recent releases of ArcGIS Pro contain Log4j but are not known to be exploitable as the software does not listen for remote traffic.
Is there any concern in removing this package from our user base install? Our security team is not happy with the ESRI response and want this removed.