Looks like this whole #log4j debacle is going to be hard to address due to Java practices consisting in shipping binaries (jars) of unknown provenance.
Glad the one in #Guix is built from source, and now fixed:
$ ls /gnu/store/*java*
whew, the four "java"s that appear in my /gnu/store are just part of a hash :)
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!