I got asked about this by others in my company who are using Apache Daffodil, so I figure others in the user community may have the same concerns.
So in case you get asked, the summary is .... Apache Daffodil has already released an updated version (v3.2.1) which updates the dependency on Log4J to the fixed updated version. (Release notes here: https://daffodil.apache.org/releases/3.2.1/) We released this on Dec 23, only 12 days after the first of the two CVEs were posted, and 1 week after the second Log4J CVE was posted. In addition, if you are using older versions of Daffodil, versions prior to 3.1.0 did not use Log4J at all. The upshot: only Daffodil 3.1.0 contained the vulnerable Log4J dependency, so applications of Daffodil 3.1.0 should immediately update to use version 3.2.1.
