This github repo has hashes of vulnerable versions of the library and the link to the apache repo suggest ver 1.x might also be vulnerable too.
I'm guessing installing jetty for the web console is what brings in log4j dependencies?
I'm guessing installing jetty for the web console is what brings in log4j dependencies?