Is log4j used by EPiServer? Is Log4Net open to the same vulnerabilities?
Log4j is Java so isn't used in the Optimizely CMS/Commerce stack. Log4Net is used as a default in pre CMS 12/Commerce 14 instances but as it's built on the .NET framework it shouldn't have the same vulnerability, there's nothing I can see online that would suggest it would.
Thanks for helping with this!