GitHub user ppkarwasz added a comment to the discussion: How do I upgrade
existing Log4j-core-2.19.0.jar & 2.20.0.jar files on a Windows computer
Hi @Kevinjt4,
The easiest way to handle this is to check whether CVE-2025-68161 is actually
**exploitable** in your environment. It affects a very limited number of users:
only those using the `Socket` or `Syslog` appenders with `protocol="SSL"`.
### Step 1: Check your configuration
Search for Log4j configuration files named `log4j2.<extension>` (e.g.
`log4j2.xml`). You are only affected if they contain something like:
```xml
<Configuration>
<Appenders>
<Socket protocol="SSL" ...> ... </Socket>
<!-- or -->
<Syslog protocol="SSL" ...> ... </Syslog>
</Appenders>
</Configuration>
```
If you don't find this, you can mark the vulnerability as **non-exploitable**
and you're done.
### Step 2: If it is exploitable
Even then, exploitation requires an attacker with man-in-the-middle
capabilities on your network. If that's the case, log injection is the least of
your concerns.
### Step 3: Upgrade (if needed or required by policy)
Log4j follows semantic versioning, so upgrading within the 2.x series should be
safe. Replace both JARs together: they are more tightly coupled than we would
like:
- `log4j-core-*.jar` → `log4j-core-2.25.3.jar`
- `log4j-api-*.jar` → `log4j-api-2.25.3.jar`
Each **minor** version (2.21, 2.22, etc.) can bring small behavioral changes.
Skim the [release
notes](https://logging.apache.org/log4j/2.x/release-notes.html) for anything
that might affect your setup.
**Bottom line:** Upgrades are usually seamless, but given the low
exploitability risk, it may be worth waiting for ArcGIS Pro to ship an updated
release: they'll do full compatibility testing that you'd otherwise have to do
yourself.
GitHub link:
https://github.com/apache/logging-log4j2/discussions/4082#discussioncomment-16322798
----
This is an automatically sent email for [email protected].
To unsubscribe, please send an email to: [email protected]
