Stata 15 and Stata 16 do not use log4j and are not affected. Stata 17 uses Java 11, which is partially mitigated according to https://aws.amazon.com/security/security-bulletins/AWS-2021-006/.

Stata 17’s core features do not use log4j. However, if the user accesses the experimental H2O feature, this does use the affected version of log4j if your Stata 17 has not been updated to the 14dec2021 level or later. Unless you are using h2o commands, however, the library will not be loaded.

We have released an update to Stata 17 this morning (21 dec 2021) that includes an updated H2O library with a patched log4j.

If you aren’t going to use H2O integration, or if you aren’t able to update immediately for some reason, the libraries (including the affected log4j library) can be removed from the Stata installation. You can safely delete <stata_installation_directory>/ado/base/jar/libstata-h2o.jar to remove any possibility of the library being loaded.