According to Log4j – Apache Log4j Security Vulnerabilities, all versions of Log4j from 2.0 through 2.16.0 are vulnerable:
“All versions from 2.0-alpha7 to 2.17.0, excluding 2.3.2 and 2.12.4”
According to Red Hat Bugzilla – Bug 2031667, a similar vulnerability could occur in Log4j 1.x if the application is configured to use JMSAppder:
“A flaw was found in the Java logging library Apache Log4j in version 1.x . This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender.”
JMSAppender is not enabled and in use by Tansa, so Tansa is thus safe from this type of attack.