I was under that impression too but I think its safer to remove anything flagged by this CERT script instead of relying only on Esri messages.
I needed to soothe BitDefender, which was flagging both 10.8.1 and 10.9 here. BitDefender does not give me anything other than "the problem is in the filesystem" so it was up to me to find which files trigger it.
I ran the script from CERT to search for vulnerabilities everywhere on C:, it flagged all the components of ArcGIS, that is, DataStore, Portal, and Server.
The scanner is here: https://github.com/CERTCC/CVE-2021-44228_scanner.git
The scanner also found some other things unrelated to Esri which I simply uninstalled.
I used the python version because it was short enough to read and understand so I could tell it was not doing anything nefarious. (Likewise the one from Esri) I am always reluctant to download and run code from a github archive without checking it.
I ignored the advice from Esri about what components might or might not be vulnerable/exploitable and used the python script that Esri provided ("log4shellmitigation"), and ran it on each component.
Now BitDefender (and my network administrator) have calmed down and that's what really matters to me.
