Log4j is embedded in EMC Corporation's DFS 6.7SP1. We performed Veracode scan for DFS 6.7SP1 and scan reported that code in Log4j.jar - JDBCAppender.java:178 (no further details) is POSSIBLY vulnerable to SQL injection attacks. Log4j version: 1.2.13 Need update on this from Apache side. It it really vulnerable? if yes, is it fixed in some future version?