ReadyAPI 3.65 – Confirmation of bundled Log4j version and remediation guidance

We recently upgraded ReadyAPI to version 3.65.0 on a Windows host to remediate Log4j findings. However, our security vulnerability scanner is still flagging log4j-core version 2.17.1 under the ReadyAPI 3.65 installation directory.

We are requesting clarification on the following items.

First, can you confirm the exact Log4j version or versions that are bundled with ReadyAPI 3.65.0? Our installation directory currently contains the file log4j-core-2.17.1.jar under the ReadyAPI lib directory.

Second, has Log4j been updated to version 2.25.3 in any ReadyAPI release or patch? Our security team is requiring Log4j 2.25.3 to address newer Apache Log4j CVEs.

Third, if ReadyAPI 3.65.0 does not include Log4j 2.25.3, is there a supported hotfix, patch, or newer ReadyAPI version planned that includes this update? If not, does SmartBear support manually replacing the Log4j JAR files in the ReadyAPI lib directory with a newer Log4j version such as 2.25.3, and are there any known compatibility concerns or official documentation for this approach?