MSP360 software contains a component based on Lucene++, version 3.0.8: https://github.com/luceneplusplus/LucenePlusPlus
The Lucene++ has the Apache License: http://www.apache.org/licenses/LICENSE-2.0
On December 13, 2021 the Apache Foundation released an emergency update for a critical zero-day vulnerability in Log4j, a logging tool included in almost every Java application.
The problem revolves around a bug in the Log4j library that can allow an attacker to execute arbitrary code on a system that is using Log4j to write out log messages. This security vulnerability has a broad impact and is something anyone with an application containing Log4j needs to immediately pay attention to.
This vulnerability does not affect MSP360 or Cloudberry users.