The log4j package is vulnerable to Dynamic-link Library (DLL) Preloading. The org.apache.log4j.nt.NTEventLogAppender class fails to instantiate the log appender DLL for Windows using a fully qualified path name, allowing for DLL Search Order Hijacking. An attacker on a compromised system has the ability to force log4j to load malicious DLLs and execute arbitrary code within the context of the application's process.

Detection
The application is vulnerable by using this component.

This vulnerability only affects users on the Windows operating system. Reference: https://bz.apache.org/bugzilla/show_bug.cgi?id=50323

NexusIQ Reference: SONATYPE-2010-0053

Possible solution:
Add it to the excludes https://github.com/jboss-logging/log4j-jboss-logmanager/blob/1.3.0.Final/pom.xml#L127