I'm using ArcGIS Enterprise 10.8.1 and did in place upgraded last year. Our Cyber security team generated a list of my servers impacted by the Apache Log4j vulnerability. For example, ArcGIS Server at C:\Program Files\ArcGIS\Server\framework\runtime\zookeeper\lib\log4j-1.2.17.jar. I see someone's post that 10.8.1 ship with 2.x version, wondering why I have 1.2.17 version? Our cyber security team suggested fixed version : 2.15.0. I don't know if I should be downloading version of 2.15.0 to replace the older version in all the files that they scanned on my GIS servers, which impact stand alone ArcGIS Server, federated GIS server, geoevent server, datastore and portal. Or wait till ESRI has more detail for the mitigation?
DataStore: C:\Program Files\ArcGIS\DataStore\framework\runtime\elasticsearch_6.4.2\lib\log4j-core-2.11.1.jar
GIS Server/Federated Server/ GeoEvent Server: C:\Program Files\ArcGIS\Server\framework\runtime\zookeeper\lib\log4j-1.2.17.jar
Portal seems like in the upgrade backup folder only: arcgisportal\upgrade-backup\10.8.0\dsdata\elasticsearch_7.3.0\lib\log4j-core-2.11.1.jar
ArcGIS Pro: C:\Program Files\ArcGIS\Pro\java\runtime\spark\jars\log4j-1.2.17.jar