Hi Richard, Martin I saw this come in on JIRA - we don't ship the slf4j-ext module so presumably TomEE itself doesn't have this vulnerability "out-of-box". Am I correct in thinking we'd need to update the slf4j-api and slf4j-jdk14 jars, so if someone wanted to add the slf4j-ext module to a TomEE install, they could add a recent version that isn't affected by this CVE?
Thanks Jon
