based on this, where are those log files defaulty stored? I want to see if i can delete those, but i don't find any logfiles on the location where the metabase JAR file is located?
I run them locally with Java.
If you're using 33, then there are several other vulnerabilities, so you should upgrade.
But anything below x.37.0 uses Log4jv1, so while they are not directly known to be exploitable, there are other known vulnerabilities in Log4jv1, which will not be addressed, since it's out-of-date.
In other words; Upgrade if you are using a release older than December 10th 2021.
How should customers best track when vulnerabilities like this exist? Ideally, customers get notified via a push notification or email to alert them. If this exists, can someone point to how to sign up for these alerts?
@corey Our Enterprise customers were notified directly, as well as thousands of open source users via the newsletters (see bottom of our website).
Or you can subscribe to security advisories via https://github.com/metabase/metabase > click Watch in upper-right corner > Custom > select Security alerts.