A recently documented vulnerability in the java library log4j has raised many concerns. The Geocortex team has reviewed our entire code base and confirmed that Log4J 2.x is not used anywhere by any Geocortex product.
The version of log4j that is included with Geocortex Essentials and Geocortex Analytics is not vulnerable to CVE-2021-44228.
Geocortex products do not require patching to address CVE-2021-44228.
Customizations to Geocortex software are not made using Java, so they cannot reference log4j or include the vulnerable library.
Since Geocortex products make use of ArcGIS products, customers may need to apply Esri security patches to address the vulnerability. Please refer to Esri's guide on CVE-2021-44228, here: https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-software-and-cve-2021-44228-aka-log4shell-aka-logjam/
Please sign in to leave a comment.