We updated log4j four times in December/January. The first two times
seemed warranted, although limited even then because the UI and API for an
ManifoldCF instance are not ever available on the open internet. The last
two were a stretch to think they could cause any problems in our
environment,
We just started an upgrade to version 2.22.1 and noticed, that still vulnerable
log4j version are present in the distribution package, e.g.:
apache-manifoldcf-2.22.1\lib\log4j-api-2.15.0.jar
apache-manifoldcf-2.22.1\web\war\mcf-authority-service\WEB-INF\lib\log4j-api-2.15.0.jar
According to