Vulnerability Scan is reporting "EOL/Obsolete Software: Apache Log4j 1.X Detected" against VIPEG 9.9.2.
VIP Enterprise gateway
Certain VIP EG files may trigger false-positive log4j vulnerability results due to an unused classpath reference in a file to a non-existent "\ext\log4j-1.2.17.jar".
The reference to ext\log4j-1.2.17.jar may be seen in the following files:
<Location where VIP Enterprise Gateway is installed>\VIP_Enterprise_Gateway\LdapSync\services\ldapSync\conf\wrapper1.conf
<Location where VIP Enterprise Gateway is installed>\VIP_Enterprise_Gateway\LdapSync\services\ldapSync\conf\wrapper2.conf
<Location where VIP Enterprise Gateway is installed>\VIP_Enterprise_Gateway\IDP\services\VIPMGR\conf\wrapper.conf
<Location where VIP Enterprise Gateway is installed>\VIP_Enterprise_Gateway\IDP\services\VIPSSP\conf\wrapper.conf
Additionally, log4j-1.2.17.jar files and references may also exist in backup.bak files by the VIP EG installer during an upgrade for rolling back the upgrade (example: VIP_Enterprise_Gateway9.9.2.bak.) These files can safely be deleted without affecting VIP EG functionality. Do not delete the active VIP_Enterprise_Gateway installation folder.
VIP EG 9.9.2 only (these files are included in 9.10 and later):
VIP EG 9.10 and later: