We used the Log4 scanner from the GitHub project (https://github.com/hillu/local-log4j-vuln-scanner) to look for the Log4 vulnerabilities from December 2021. The scanner found a finding on the OneJar of PWM version 1.9.2.

Output from local-log4j-vuln-scanner:
local-log4j-vuln-scanner.exe c:\PWM | grep "vulnerable component found"
indicator for vulnerable component found in c:\PWM\pwm-onejar-1.9.2.jar::embed.war::WEB-INF/lib/log4j-1.2.17.jar (org/apache/log4j/net/SocketNode.class): SocketNode.class log4j 1.2.17 CVE-2019-17571

Is PWM affected by the Log4 vulnerabilities? If so, is an updated version already on the horizon?

Dupe of issue #628.