We just started an upgrade to version 2.22.1 and noticed, that still vulnerable log4j version are present in the distribution package, e.g.:
apache-manifoldcf-2.22.1\lib\log4j-api-2.15.0.jar apache-manifoldcf-2.22.1\web\war\mcf-authority-service\WEB-INF\lib\log4j-api-2.15.0.jar According to this issue: https://issues.apache.org/jira/browse/CONNECTORS-1683 we expected, that the log4j problem was already solved. Is this a known problem, or do we have upgrade the log4j version manually? Kind regards, Uwe Wolfinger