page = the scala programming language
url = https://www.scala-lang.org
You may find below a non-comprehensive list of core Scala tools and libraries known to be affected by the vulnerability, and in which version (if any) it is addressed.
Affected tools and libraries with an available fix
Log4j is not enabled by default since sbt 1.4.0, but all users are recommended to upgrade to the latest fixed version. Any organization using sbt as part of CI/CD (continuous integration and delivery), automated publishing, and projects that expose a TCP/IP entry point during testing may be most vulnerable to an exploit.
Affected tools and libraries without a known available fix
It may also be possible to force the dependency of log4j, as explained below.
If your application is built with sbt, which is common in the Scala ecosystem, here is some information on how to determine the classpath of your application, and how to force an upgrade of the log4j dependencies.
Like in sbt, you can force an upgrade of transitive dependencies of log4j using