affects all versions of the loci_tools.jar library
log4j library packaged in deprecated loci_tools is vulnerable to remote execution.
The deprecated loci_tools jar contains an embedded version of the logging library log4j. A major vulnerability in log4j has been found: "Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled."
The original log4j vulnerability is identified as CVE-2021-44228
All versions of the loci_tools jar.
All users should move from the loci_tools jar to the bioformats_package jar which uses the logback library rather than log4j.