As far as I can tell, this project uses a version of Log4j 2 <2.16.0, which is needed to fix the recent vulnerability. I believe I'm pretty close to obtaining a working exploit that just sends a malicious XMPP request that is eventually logged, but I can't confirm that yet—I'll post here if I can make it work. In any case, bumping the version is probably a good idea, as anyone with Eclipse/IntelliJ simply being open could be vulnerable.
As far as I can tell, this project uses a version of Log4j 2 <2.16.0, which is needed to fix the recent vulnerability. I believe I'm pretty close to obtaining a working exploit that just sends a malicious XMPP request that is eventually logged, but I can't confirm that yet—I'll post here if I can make it work. In any case, bumping the version is probably a good idea, as anyone with Eclipse/IntelliJ simply being open could be vulnerable.