Does CirrusLink have any statement on whether any of their products are affected by the log4j vulnerability, and if vulnerable how customers can mitigate any exposure in the short term, and when we can expect long term fixes?
I suspect the Ignition modules probably build on the logging system provided by Ignition, which Kevin Herron has informally stated is not affected in these two forum posts:
The Cirrus Link modules do use Ignition’s log system which is SLF4J - not Log4J. As a result, the modules are unaffected by this CVE. We did discover that some of the modules do unnecessarily include log4j jar files. But, these are never loaded/used and are as a result, benign. These jars will be removed in future versions.