As you might be aware, a Log4j2 vulnerability was reported on December 9 2021. The remote code execution vulnerability CVE-2021-44228 was found in the Apache Log4j library, a part of the Apache Logging Project. If a product uses a vulnerable version of this library with the JNDI module for logging purposes, there is a high possibility that this vulnerability can be exploited. (Source: https://securelist.com/cve-2021-44228-vulnerability-in-apache-log4j-library/105210/).
In case you have any concerns about this related to iText products, we can assure you that the iText Suite (5 & 7) are not affected by this issue. iText DITO might be falsely flagged as potentially affected, but we are happy to let you know it is not. While we do have a log4j dependency on the Manager component, the JDK version used within the container is not part of the vulnerability.
However, to address any concerns, we will be releasing an update this week for iText DITO to resolve this false positive.