log4j vulnerability: LaTeX is not affected!
We are seeing more and more requests asking us whether LaTeX needs a patch because of the log4j vulnerability, when the necessary patch is planned and ready, etc. Rather than to explain each time (which I did more than a dozen times by now) why nothing needs to be done at our end, I decided to post it here, so that I can refer to that statement.
Upfront I would like to apologize to any LaTeX user for the noise, because if you know what LaTeX is (a macro package running on top of the TeX program), then you are well aware that such questions are ill formed. But most people being charged to check all software in use in their organization do not know each and every piece of software and for them LaTeX is just a program that may or may not use log4j.
Well, LaTeX is not a program, it is input for a program (namely TeX or one of its variants) so the question has to be: is any of the TeX programs that make use of the LaTeX source as input vulnerable to the log4j issue?
The answer is fortunately a clear NO and the official statement for this from the TeX Users Group organization (for the TeXLive and MikTeX distributions) can be found here:
If you talk to people who are searching for an answer whether or not LaTeX (or rather TeX) is affected by log4j and if so what is being done about it, please refer them to TUG and that statement.
Happy and continuously safe LaTeXing — Frank