HP has stated that HP Device Manager is NOT effected by the Log4j CVE-2021-44228 vulnerability.
Although HP Device Manager uses Log4j, it uses version 1 which is not effected version by the vulnerability.
=======================================================
All Java applications of HPDM use Log4j 1.x branch,
which are not affected by CVE-2021-44228 Apache Log4j Vulnerability.
Specifically,
- HPDM Console and Server: use Log4j 1.2.12
- HPDM Console Web Bridge: uses Log4j 1.2.17
- Other HPDM Java applications: use Log4j 1.2.12
All open source software and libraries used in HPDM do not use Log4j2.
Log4j2 versions are never used in any released HPDM version.
=======================================================
HP Official statement: Apache Log4j Vulnerability | HP® Customer Support
HP Thin Clients and the ZCentral Software are also NOT effected by this vulnerability.
This public information is published by HP Inc. , MDCS or the MDCS Knowledge base will NOT accept any responsibility for the correctness of this information.