Technically, Simple Java Mail doesn't depend on log4j for general use; it is only included in the stand-alone CLI distribution so the dependency (and its vulnerability) is basically never exposed to the public domain. So if you're just using it as a dependency in your project, you're good and you don't really need a new version.

However, to just avoid any ambiguity about this and satisfy the dependency analyzers, I'll just resolve this issue and move to 2.12.3 which fixes it for Java 7 (see https://logging.apache.org/log4j/2.x/security.html). This will be released in Simple Java Mail 6.6.2.

For the next major version 7.0.0 I will further update to 2.17.0, which fixes it for Java 8 and up.

6.6.2 released.