Penny and Spencer are not affected by the Apache Log4j vulnerability
A high severity vulnerability, (CVE- 2021-44228), impacting multiple versions of Apache Log4j utility, was disclosed publicly on December 9, 2021. The vulnerability impacts Apache Log4j 2 versions- 2.0 to 2.14.1. You can find the details of this vulnerability documented here: https://logging.apache.org/log4j/2.x/security.html
Neither Penny nor Spencer access this module and as a result, there are no patches required.
If you have third party solutions that you are unsure, we do recommend you check out vendor sites to ensure they have no use of the module or they have installed a patch.