ECS systems are based on Centos (4-7) or Rocky Linux (8+). These operating systems are basically the same as Red Hat Enterprise Linux but with different logos and licensing. According to the following Red Hat web page, these operating systems are not affected by the log4j vulnerability. The page also has more information about the vulnerability. We are currently running the scanner on several systems as an additional check.
ECS programs do not use Apache Log4j directly. We use the Apache Batik library. Part of the library uses Log4j but we do not use that function (PDF conversion).