Pre-2.3.0.119 versions make HTTP request as described in the CVE, but do not execute remote code. JRE version installed on the hubs prevents remote code loading.
2.3.0.119 has an updated log4j version that prevents HTTP requests as well.
Download the Hubitat app
