Name of the Vulnerable Software and Affected Versions: Splunk Logging for Java library versions prior to 1.11.1 Splunk Logging for Java library version 1.6.2 and earlier, with the exception of version 1.6.2-0-0

Description: Logging untrusted or user-controlled data with a vulnerable version of Log4J may result in Remote Code Execution (RCE) against the application. This includes untrusted data included in logged errors such as exception traces, authentication failures, and other unexpected vectors of user-controlled input.

Recommendations: For versions prior to 1.11.1, update to version 1.11.1 or later. For version 1.6.2, apply the patch 1.6.2-0-0. As a temporary workaround, consider setting the -Dlog4j2.formatMsgNoLookups=true system property on both client- and server-side components if upgrading is not possible.