Tenable Research is providing the following supporting...

Issue -- when a host has MULTIPLE copies of log4j.jar found in plugin 156001, plugin 156002 appears to report the "last" version detected on a host as THE vulnerable version. This can be misleading or fully wrong depending on the order of entries found in 156001 Here's an example. I'm not sure how Tenable can draw the "most current but vulnerable" data out of 156001 into 156002, but we really want to focus on the latest version installed.

156002 - Apache Log4j < 2.15.0 Remote Code Execution (Windows) – indicates version 1.2.15 is installed and vulnerable

 Path       : C:\CDFA\thirdparty\log4j-1.2.15.jar

 Installed version : 1.2.15

 Fixed version   : 2.15.0

156001 – Apache Log4j JAR Detection (Windows) – shows that the file system contains FOUR installations, with three different versions. The “real” vulnerability is file shown in plugin 156001, version 2.12.0 and 2.14.0.

Nessus detected 4 installs of Apache Log4j:

 Path  : C:\Program Files\IBM\Connect Direct v6.1.0\install\agent\bin\lib\log4j-core-2.12.0.jar

 Version : 2.12.0

 Method : JAR filesystem search

 Path  : C:\CDFA\thirdparty\log4j-2.14.0.jar

 Version : 2.14.0

 Method : JAR filesystem search

 Path  : C:\CDFA\thirdparty\log4j-core-2.14.0.jar

 Version : 2.14.0

 Method : JAR filesystem search

 Path     : C:\CDFA\thirdparty\log4j-1.2.15.jar

 Version   : 1.2.15

 Method    : Running process

 Process ID  : 2072

 Process Path : C:\CDFA\jre\bin\java.exe

 Running   : 1