Making things even more confusing, there are lots of ways to use log4j, only some of which expose this vulnerability. For example, Splunk uses it, but says the exploit matters on "All supported non-Windows versions of 8.1.x and 8.2.x only if Hadoop (Hunk) and/or DFS are used."
It appears that the offending libraries are always installed, so some/many systems will show up in scans, but are not really at risk. The good news is that in those cases, those jars can be renamed/moved/removed to clear up the false positive. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN