How do I upgrade existing Log4j-core-2.19.0.jar & 2.20.0.jar files on a Windows computer

[Kevinjt4]

Our vulnerability scanning software has flagged ~300 devices in our environment that have ArcGIS Pro installed with a log4j vulnerability (CVE-2025-68161). I've reached out to ESRI and they deem this vulnerability to be a very low priority on their end, and have stated they dont have an upgrade in the works for this issue.

The vulnerabilities can be found at these two locations:

• Path: C:\Program Files\ArcGIS\Pro\bin\Python\envs\arcgispro-py3\Lib\site-packages\saspy\java\iomclient\log4j-core-2.19.0.jar

• Path: C:\Program Files\ArcGIS\Pro\java\runtime\spark\jars\log4j-core-2.20.0.jar

The recommended "fix" is to upgrade to 2.25.3 or later.

I am deskside support, not a developer. I've read over the Apache.org site regarding downloading the binary files, thus I have download the apache-log4j-2.25.3-bin.zip file. This appears to include the recommended log4j-core-2.25.3.jar but am not sure if just replacing the old files with the new is the correct route to go.

Would someone mind assisting me in getting the files upgraded or pointing me in the right direction?

Kevin

[ppkarwasz]

Hi @Kevinjt4,

The easiest way to handle this is to check whether CVE-2025-68161 is actually exploitable in your environment. It affects a very limited number of users: only those using the Socket or Syslog appenders with protocol="SSL".

Step 1: Check your configuration

Search for Log4j configuration files named log4j2.<extension> (e.g. log4j2.xml). You are only affected if they contain something like:

<Configuration>
  <Appenders>
    <Socket protocol="SSL" ...> ... </Socket>
    <!-- or -->
    <Syslog protocol="SSL" ...> ... </Syslog>
  </Appenders>
</Configuration>

If you don't find this, you can mark the vulnerability as non-exploitable and you're done.

Step 2: If it is exploitable

Even then, exploitation requires an attacker with man-in-the-middle capabilities on your network. If that's the case, log injection is the least of your concerns.

Step 3: Upgrade (if needed or required by policy)

Log4j follows semantic versioning, so upgrading within the 2.x series should be safe. Replace both JARs together: they are more tightly coupled than we would like:

• log4j-core-*.jar → log4j-core-2.25.3.jar
• log4j-api-*.jar → log4j-api-2.25.3.jar

Each minor version (2.21, 2.22, etc.) can bring small behavioral changes. Skim the release notes for anything that might affect your setup.

Bottom line: Upgrades are usually seamless, but given the low exploitability risk, it may be worth waiting for ArcGIS Pro to ship an updated release: they'll do full compatibility testing that you'd otherwise have to do yourself.