Concern: CVE-2022-23307 for log4j_log4j and labeled with severity = critical.

We have a container-based IA as a Node.JS and Python agent listener. 
This was tagged by a vulnerability scanner 

CVE-2022-23307 for log4j_log4j and labeled with severity = critical.

CVE-2022-23307 link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23307

/opt/app-root/src/apmia/lib/com.wily.log4j.jar

(app-root) sh-4.2# unzip -p com.wily.log4j.jar META-INF/MANIFEST.MF
Manifest-Version: 1.0
Export-Package: com.wily.org.apache.log4j,com.wily.util.feedback.log4j,com.wily.org.apache.log4j.config,com.wily.org.apache.log4j.helpers,com.wily.org.apache.log4j.spi,com.wily.util.feedback.log4j
Build-Jdk-Spec: 1.7
Bundle-Version: 1.2.17
Eclipse-BuddyPolicy: dependent
Bundle-Name: wilylog4j
Bundle-ManifestVersion: 2
Created-By: Maven Jar Plugin 3.2.0
Bundle-SymbolicName: com.wily.log4j
Import-Package: javax.jmdns;resolution:=optional,javax.jms;resolution:=optional,javax.management,javax.naming,javax.xml.parsers,org.w3c.dom,org.xml.sax,org.xml.sax.helpers

Release : SAAS, APM On-Premise

Component : log4j

Engineering confirmed that its false positive.

Engineering has confirmed that vulnerability scan is a false positive. 

• CVE-2022-23307 (CRITICAL, HIGH, LOW) - custom log4j 1.x in APM agents
• CVE-2022-23307, CVE-2020-9488 (CRITICAL) - Apache Log4j 1.2.x

This security vulnerabilities reported by Black Duck/Code Insight/Twistlock/Qualys/OWASP-check and other tools against APM 20.x and 21.x releases as a false positive. The security vulnerabilities are either fixed by patching such as Apache Axis 1.4 or are not applicable to APM 10.7, nor APM 20.x/21.x.