Both applications use the Logback framework, not Log4j, for logging purposes. However, some included libraries depend on Log4j APIs, this is why we must use bridges to those APIs in order to process the related calls using Logback.
The version of the Log4j library included (but not loaded) in TheHive 4 is not affected by the vulnerability. The version is 1.2.17 and is the result of dependencies coming with Apache Hadoop client (optionally used as file storage backend for file observables and task log attachments).
Cortex and TheHive 3.x
TheHive 3 and Cortex do not load the core library of Log4j but a helper makes call from components to Log4j translated to Slf4j (which is using Logback). The loaded library does not contain the vulnerable code of Log4j.
Vulnerability status of underlying databases
TheHive and Cortex rely on Apache Cassandra and/or Elasticsearch for database and indexing.
Apache Cassandra is not known to be affected by this vulnerability.
Elasticsearch announced not to be vulnerable to the Remote Code execution, but could be to an information leak via DNS.
Refer to Elasticsearch advisories for solutions and mitigations included in their announcement.
TheHive and Cortex will continue to work nicely if Elasticsearch runs with the mitigation option -Dlog4j2.formatMsgNoLookups=true.
Should any more information become available, we will update this blog post accordingly.