Are currently supported versions of Foglight affected by the Apache log 4j2 vulnerability (CVE-2021-45105)? (4311783)

Apache log4j 2.16 vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2021-45105

While the severity of this latest vulnerability is not as high as the previous vulnerabilities, for which Quest has supplied a fix to apply to Foglight to remove those vulnerabilities, Quest continues to monitor all documented log4j vulnerabilities.

Quest has confirmed that the latest CVE-2021-45105 vulnerability does not affect Foglight 6.0 customers.

The following components are not affected because these components use Log4J version 1.2.17.

• Foglight Management Server (all released version levels)
• Foglight Agent Manager (all released version levels)
• Foglight Evolve (all released version levels)
• Foglight for Virtualization, Enterprise Edition (FVE) (all versions)
• Foglight for Storage Management (FSM) (all versions)
• Foglight cartridges released below the 6.0.0 version
• These database cartridges are not affected: MySQL, PostgreSQL, MongoDB, Cassandra. Redshift

Although the Foglight 6.0.0 cartridges listed below with build IDs beginning with 6.0.0.10-2021121*-* include the log4j 2.16 version, Foglight is not affected by this issue because it is not using a Context Lookup in the code. 

• Database cartridges: DB2, Oracle, Azure SQL, SQL Server, Sybase, MySQL PI
• Evolve cartridges: Active Directory (AD), Exchange, and Office365