SocketServer class included in Log4j 1.2 is vulnerable to deserialization of untrusted data. This vulnerability can be exploited to remotely execute arbitrary code in combination with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions from 1.2 up to 1.2.17.
WSO2 API Manager
WSO2 Enterprise Integrator
WSO2 Identity Server
WSO2 Stream Processor
This vulnerability is exploitable only if Log4j SocketServer is used to accept network traffic for log data. WSO2 products do not use or WSO2 does not recommend using SocketServer functionality of Log4j. In addition, third-party dependencies used by WSO2 products do not use this functionality of Log4j. Therefore, this CVE does not affect the security aspect of WSO2 products.