WSS uses log4j which is vulnerable to attack

[seismopaul]

Is there any plan to upgrade WSS to use a safe version of log4j?

[crotwell]

The log4j used is 1.2.15. Only versions >2 are vulnerable to log4shell.

[crotwell]

That said log4j 1.x is EOL. Making use of reload4j which has has some updates might be a good idea.