We are upgrading from Risk Authentication 9.1 SP2 to SP3.

As part of previous release we got the log4shell(CVE-2021-44228) patch to resolve the issue.

Do we need apply the same patch or can we get new patch for log4shell issue on version SP3?

Release : 9.1 SP3

Based on NVD recommendation, this issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1.

Log4j 2.17.1 libraries are already packaged in 9.1 SP3. 

For more information, you can refer the section '9.1 SP3 Components' in product documentation https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/advanced-authentication/9-1/third-party-software-acknowledgments.html.