Hope XG isn't affected by the Log4j exploit

See: www.sophos.com/.../sophos-sa-20211210-log4j-rce

It's only a sample size of two, but the vulnerable library is present on the XG devices I checked just now:
/usr/share/webconsole/WEB-INF/lib/spotbugs/lib/log4j-core-2.13.1.jar

If Sophos say that "Sophos Firewall does not use Log4j." then i'm inclined to trust them, but it would be better if the statement read "Even though the vulnerable code is present in the XG filesystem, it is not used in any way, we just bundled it in there because someone thought it was a good idea to have it handy should the need arise." ;)

Spotbugs in SFOS will not be used in runtime of the appliance and is only a tool for the DEV part of QA. So the statement within the Advisory is still correct: Sophos Firewall does not use Log4j

Spotbugs in SFOS will not be used in runtime of the appliance and is only a tool for the DEV part of QA. So the statement within the Advisory is still correct: Sophos Firewall does not use Log4j