GitHub user Kevinjt4 created a discussion: How do I upgrade existing Log4j-core-2.19.0.jar & 2.20.0.jar files on a Windows computer
Our vulnerability scanning software has flagged ~300 devices in our environment that have ArcGIS Pro installed with a log4j vulnerability (CVE-2025-68161). I've reached out to ESRI and they deem this vulnerability to be a very low priority on their end, and have stated they dont have an upgrade in the works for this issue. The vulnerabilities can be found at these two locations: - Path: C:\Program Files\ArcGIS\Pro\bin\Python\envs\arcgispro-py3\Lib\site-packages\saspy\java\iomclient\log4j-core-2.19.0.jar - Path: C:\Program Files\ArcGIS\Pro\java\runtime\spark\jars\log4j-core-2.20.0.jar The recommended "fix" is to upgrade to 2.25.3 or later. I am deskside support, not a developer. I've read over the Apache.org site regarding downloading the binary files, thus I have download the apache-log4j-2.25.3-bin.zip file. This appears to include the recommended log4j-core-2.25.3.jar but am not sure if just replacing the old files with the new is the correct route to go. Would someone mind assisting me in getting the files upgraded or pointing me in the right direction? Kevin GitHub link: https://github.com/apache/logging-log4j2/discussions/4082 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected]
