The version of log4j (1.2.17, also referred to as log4j1) used in the Kaazing Gateway/KWIC is not affected by the vulnerability in CVE-2021-44228.
As stated by Apache here https://logging.apache.org/log4j/2.x/security.html, "Log4j 1.x is not impacted by this vulnerability".
Official statements from Microsoft and Amazon regarding their use of log4j1:
The use of log4j 1.2.17 in Kaazing Gateway/KWIC is not impacted by CVE-2021-44228. We have no current plans to upgrade from log4j1 to log4j2.
Prior CVE's for log4j1 and our official responses:
CVE-2021-4104 (Published 12/14/2021) - https://www.cvedetails.com/cve/CVE-2021-4104/
At the time of publication, we reviewed the CVE and found that this issue only affects the applications that use the JMSAppender class. The Gateway does not use the JMSAppender class, thus the Gateway is unaffected by this CVE.
CVE-2019-17571 (Published 12/20/2019) - https://www.cvedetails.com/cve/CVE-2019-17571/
At the time of publication, we reviewed the CVE and found that this issue only affects the applications that use the SocketServer class. The Gateway does not use the SocketServer class, thus the Gateway is unaffected by this CVE.