Hello Juerg, On Mon, 2021-12-13 at 13:56 +0100, JCR wrote: > https://www.cisa.gov/news/2021/12/11/statement-cisa-director-easterly-log4j-vulnerability > > I don't think so. But there are folks here who know much more about > the internals... > > Anybody? > > Thanks, > Juerg
We are working on an official statement to be posted on the Sling website. In the meantime, we have checked the sling source repos and there are no traces of log4j2, so user applications should be fine as long as they do not import log4j2 on their own. Thanks, Robert