This message is about the effect of CVE-2021-44228 (log4j2) on Fuseki.
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
Jena ships log4j2 in Fuseki and the command line tools.
The vulnerability of log4j2 does impact Fuseki 3.15 - 3.17, and 4.x.
Remote execution is only possible with older versions of Java.
Java versions Java 8u121 and Java 11.0.1, and later, set
"com.sun.jndi.rmi.object.trustURLCodebase"
and
"com.sun.jndi.cosnaming.object.trustURLCodebase"
to "false" protecting against remote code execution by default.
The workaround of setting "-Dlog4j2.formatMsgNoLookups=true" works with
all affected Fuseki versions:
JVM_ARGS="-Dlog4j2.formatMsgNoLookups=true" ./fuseki-server ....
Note that Apache Jena 4.2.0 addresses an unrelated Jena-specific CVE
https://nvd.nist.gov/vuln/detail/CVE-2021-39239
We will release Jena 4.3.1 with upgraded log4j2.
Andy
on behalf of the Jena PMC