Several incidents from security team, that the log4j-1.2.17.jar is not supported and needs to be updated on all components in our environment (including EEM). 

Log4j 1 as whole project is out of support since August 2015 and does not get security updates anymore - therefore using log4j 1.x is not allowed anymore and all software using this must be updated.

Therefore we need to update the jars as soon as possible. 

Can this be fixed with an individual patch or if it can be implemented within the next update. 

Release : 4.2

Component :

SOI will be updated to latest log4j 2 version in 4.2 CU4

EEM will also be updated to latest log4j version in the next release

Until the updated product versions are available, we have documentation attached explaining the impact of the various vulnerabilities and any actions that can be taken to mitigate for the security vulnerabilities.

For SOI only, updated log4j files are provided, there are a number of different versions which match the original version of the files.