We have been asked if S/Notify is affected by the Log4j vulnerability that has just been filed under CVE-2021-44228 (also referred to as Log4Shell) in the National Vulnerability Database of NIST.
...
S/Notify internally uses the slf4j library for logging purposes, so our apps are not directly affected.
You may be interested to know that the source codes of S/Notify are scanned for vulnerabilities in its libraries according to the National Vulnerability Database on regular basis.
However, slf4j logging can be redirected to whatever the host application (Jira, Confluence etc.) uses. So, while we are not logging with the affected Log4j, the issue might theoretically be deferred to the host logging.
...
We’ll update this blog page when if we receive any relevant updates.
...