Concern: CVE-2022-23307 for log4j_log4j and labeled with severity = critical.
We have a container-based IA as a Node.JS and Python agent listener.
This was tagged by a vulnerability scanner
CVE-2022-23307 for log4j_log4j and labeled with severity = critical.
CVE-2022-23307 link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23307
(app-root) sh-4.2# unzip -p com.wily.log4j.jar META-INF/MANIFEST.MF
Created-By: Maven Jar Plugin 3.2.0
Release : SAAS, APM On-Premise
Component : log4j
Engineering confirmed that its false positive.
Engineering has confirmed that vulnerability scan is a false positive.
This security vulnerabilities reported by Black Duck/Code Insight/Twistlock/Qualys/OWASP-check and other tools against APM 20.x and 21.x releases as a false positive. The security vulnerabilities are either fixed by patching such as Apache Axis 1.4 or are not applicable to APM 10.7, nor APM 20.x/21.x.