Short answer: no. SavaPage uses an older log4j 1.2.17 version. This version does support JNDI options in its JMS (Java Message Service) appender, but this appender is not used by SavaPage.
But there are a lot of log4j CVEs!
- cve.ics-csirt io/cve?vendor=apache&product=log4j
- cve.mitre org/cgi-bin/cvekey.cgi?keyword=Apache%20Log4J
Another one in few days, to fix nvd.nist gov/vuln/detail/CVE-2021-44832:
- logging.apache org/log4j/2.x/security.html
Only recent CVEs:
Note that there is a logback CVE too:
And previously slf4j etc.
@Neustradamus Yes, there are a many log4j 2.x CVEs. Could you be more specific about log4j 1.2.17 vulnerabilities that might affect SavaPage?