Can you please help us with getting some clarification on the CVE-2021-44228. Looks like CVE-2021-44228 also impacts the Log4j 1.x
Since we still have /opt/commvault/Base64/DbJars/log4j-1.2.16.jar, we are being told by our Cyber team that according to CVE-2021-44228 on the https://logging.apache.org/log4j/2.x/security.html
Below is the snippet from logging.apache.org link above
Log4j 1.x mitigation
Log4j 1.x does not have Lookups so the risk is lower. Applications using Log4j 1.x are only vulnerable to this attack when they use JNDI in their configuration. A separate CVE (CVE-2021-4104) has been filed for this vulnerability. To mitigate: Audit your logging configuration to ensure it has no JMSAppender configured. Log4j 1.x configurations without JMSAppender are not impacted by this vulnerability.
Does commvault use JNDI with Log4j 1.x ?