Vulnerability (CVE-2021-44832) affecting Log4j Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4), vulnerable to code execution if an attacker is able to control, and modify, the contents of the logging configuration file to then point to a remote URI data source to load arbitrary Java code.

Release : 20.3, 20.4

This is listed as a MEDUIM impact vulnerability, and requires that an attacker already have root/administrator access to an environment in order to enable it (which would be difficult to do in UIM even with such access).

We will update to log4j 2.17.1 (or whatever is the newest available) as part of the next normal GA release of each component.