MSP360 software contains a component based on Lucene++, version 3.0.8:

The Lucene++ has the Apache License:

On December 13, 2021 the Apache Foundation released an emergency update for a critical zero-day vulnerability in Log4j, a logging tool included in almost every Java application.

The problem revolves around a bug in the Log4j library that can allow an attacker to execute arbitrary code on a system that is using Log4j to write out log messages. This security vulnerability has a broad impact and is something anyone with an application containing Log4j needs to immediately pay attention to.

This vulnerability does not affect MSP360 or Cloudberry users.