Unity 3.7.2 bundling an updated log4j library (2.16.0) with a fix for the CVE-2021-45046 vulnerability was published today.

If you can’t update immediately make sure to:

  • Apply workaround for the previous log4j vulnerability (as described in Log4j vulnerability)
  • Modify your logging configuration file, so it does not contain any logger context references, i.e. ${ctx:loginId}, %X, %mdc, or %MDC.