Following the vulnerabilities related to log4j ONAP SECCOM recommends all the impacted projects to uprade to version 2.17.1.
More details in attached presentation:
Istanbul Maintenance Update
Log4j vulnerabilities in direct dependencies were removed from A&AI, DMAAP, SDNC and VNFSDK. Log4j vulnerabilities introduced by transitive dependencies are still in A&AI, CCSDK, DCAE, DMAAP, MULTICLOUD, SDNC, SO, VNFSDK.