Do we know if Spectrum is vulnerable to this  CVE-2021-4104?  The  log4j12-1.2.17 file is found in the location

$SPECROOT/tomcat/webapps/ca-nim-sm/WEB-INF/lib/log4j.1.2.17.jar

Release : 10.4.x, 21.x

Component :Spectrum Vulnerability

n/a

This flaw(CVE-2021-4104) ONLY affects applications which are specifically configured to use JMSAppender, which is not the default option.  Spectrum does not use JMSAppender or SocketAppender in any way, therefore this vulnerability does not present any risk to Spectrum.

Spectrum 21.2.6 will not contain the log4j12-1.2.17.jar file as confirmed from Engineering.