Some security scanners may continue to detect Log4j in ArcGIS Pro after applying patches

Description

Log4j 1.2.x vulnerabilities in ArcGIS Pro have been mitigated in the following patches. While the vulnerabilities were mitigated, some security scanners may continue to detect log4j after applying one of these patches. This article outlines why log4j may continue to be detected.

* ArcGIS Pro patches are cumulative, so subsequent patches for each version, for example, 2.7.7. also includes the fix.

Cause

• Security scanners that are inappropriately configured to detect vulnerable components solely based on file version numbers may detect false positives after these patches are applied.  
• All Log4j 1.2.x components have had vulnerable classes removed. Mitigated Log4j 1.2.x components are included with this patch.
• ArcGIS Pro 3.0 and later will not contain Log4j 1.2.x components.  
• You can use a validation tool, such as Logpresso’s free Log4j-scan tool as described further in our cross-product Log4j announcement, to confirm your files have been mitigated.

Solution or Workaround

Log4j 1.2.x vulnerabilities addressed 

The following CVEs have been addressed in the ArcGIS Pro patches: 

• CVE- 2021-4104–Log4j 1.2 JMSAppender 
• CVE-2019-17571–Log4j 1.2 SocketServer 
• CVE-2020-9488–Log4j 1.2 SMTPAppender
• CVE-2022-23305– Log4j 1.2.x JDBCAppender
• CVE-2022-23302–Log4j 1.2.x JMSSink
• CVE-2022-23307–Log4j 1.2.x Chainsaw
• CVE-2017-5645–Log4j 1.2 SocketAppender 

To learn more about how Esri is addressing all products, see the  Log4j vulnerabilities blog. Contact Esri Support for any questions.