HP has stated that HP Device Manager is NOT effected by the Log4j CVE-2021-44228 vulnerability.

Although HP Device Manager uses Log4j, it uses version 1 which is not effected version by the vulnerability.

=======================================================

All Java applications of HPDM use Log4j 1.x branch,

which are not affected by CVE-2021-44228 Apache Log4j Vulnerability.

Specifically,

• HPDM Console and Server: use Log4j 1.2.12
• HPDM Console Web Bridge: uses Log4j 1.2.17
• Other HPDM Java applications: use Log4j 1.2.12

All open source software and libraries used in HPDM do not use Log4j2.

Log4j2 versions are never used in any released HPDM version.

=======================================================

HP Official statement: Apache Log4j Vulnerability | HP® Customer Support

HP Thin Clients and the ZCentral Software are also NOT effected by this vulnerability.