Updated 15 December 2021
These are maintenance releases, you’ll find several bug fixes available for both products.
These product updates ALSO include Apache Log4j, version 2.16.0. Note that while SQL Developer is a desktop tool and not likely to be a problem, we take these issues extremely seriously, and have updated the software within a business day of becoming aware of the issue.
You can find the other bug fixes for SQL Developer here.
What about ORDS, SQL Developer Web, and SQLcl?
These products neither use nor ship the Log4j library. They are not affected by this known security vulnerability. We are readying versions 21.4 releases for these products and should be available before we leave for the 2021 Winter Break.