Lately, the critical Apache Log4j vulnerability CVE-2021-44228 in the Apache Log4j library has been announced.
The ECaccess Gateway and DissFTP Server are using Apache Log4j v1.x which is not directly affected by the Log4shell vulnerability. There is still a possibility of being hit by the JNDI issue but only if the JMS appender was configured in the "log4j.properties" files, which is definitely not the case. However, if you are really concerned, you can always add the following lines in the startup script (along with the other java options):
JAVA_OPTS=$JAVA_OPTS" -Dcom.sun.jndi.rmi.object.trustURLCodebase=false"
JAVA_OPTS=$JAVA_OPTS" -Dcom.sun.jndi.cosnaming.object.trustURLCodebase=false”
And restart the daemon to apply the change
On Wednesday, 22 October 2014 the ECaccess gateway at ECMWF (ecaccess.ecmwf.int) has been upgraded to fix a serious SSL security vulnerability.
As a result, the ECaccess webToolkit version 4.0.1 stopped working via the ecaccess.ecmwf.int gateway. Older versions of the tools are not affected nor is version 4.0.1 if used via your local gateway.
...
.