A security issue was recently disclosed (CVE-2021-44228) affecting the broadly-used Apache Log4j library. Fess includes versions of Log4j, which are referenced in this CVE. An upgrade is highly recommended for users of Fess 13.11 to 13.15.
Fess 11.0.0 - 13.15.1
Solutions and Mitigations:
Users may upgrade to Fess 13.15.2, or set the -Dlog4j2.formatMsgNoLookups=true as the JVM option.
Please get in touch with commercial support if you need it.