With respect to the recent Apache Log4J vulnerability described in the Common Vulnerabilities and Exposures (CVE) in CVE-2021-44228 , our Engineering team investigated the potential exposure for the PDF Java Toolkit to this vulnerability.

The library components in PDFJT (including Talkeetna) use a bring-your-own-logger facade called SLF4J . This lets customers pick which logging package they want to use in their programs. If a customer is using log4j with the PDFJT or Talkeetna libraries, then that was something the customer configured in their build, and they can easily update the version of log4j.

PDFJT only uses Log4j in completed programs. The following components that we ship to customers contain log4j:

However, these are standalone applications making use of log4j and as such do not enable jndi because they don't need it. Therefore they should not have the jndiLookup vulnerability.