Log4j Vulnerability CVE-2021-44228 (4273218)

Toad for Oracle:
Toad for Oracle does not use Log4j. Therefore this vulnerability does not affect the product.
Toad for Oracle uses OraLDAPClntNN.dll (where NN is oracle version number like 12, 18, 19, etc)

It's unclear if Oracle LDAP client this uses Log4j, but believe this is not the case. 

Some more information about the exploit:
"An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled"

Toad doesn't use any log message lookup substitution.   The only messages we get from LDAP are numeric error codes, and Toad does not use any lookup substitution on them, or anything else.

Toad Edge:
Toad Edge doesn't use Log4j 2, but does use Log4 1.2.17

The range for this particular security vulnerability (CVE-2021-44228) is Log 4j 2.x to Log4j 2.15.0-rc1
Also, Toad Edge is not a server based application. The attack needs to happen over HTTP(S) requests.


Unaffected products:

Toad for Oracle

Toad for Oracle Editions

Toad for SQL Server

Toad for DB2

Toad for SAP

Toad for Data Point

Toad Intelligence Central

Toad Data Modeler

Toad Edge

SQL Navigator

SQL Optimizer for Oracle

SQL Optimizer for SQL Server

SQL Optimizer for DB2 LUW

SQL Optimizer for DB2 ZOS

SQL Optimizer for SAP

Benchmark Factory for Databases

Code Tester for Oracle

Toad DevOps Toolkit

Spotlight on Oracle

Spotlight on SAP

Spotlight on DB2 LUW