We ran Fortify tool on our code base which is currently using log4j 2.17.1+ version. However, the fortify tool complains that:
The program runs a JNDI lookup with an untrusted address that might enable an attacker to run arbitrary Java code remotely.
I googled a lot and everywhere it says that log4j 2.17.0 onwards, this issue has been addressed. Can anyone please suggest ?