We have a fully patched 10.9 Enterprise system (Portal, DataStore, Server, GeoEvent), but security scans (Nessus Scanners from Tenable) results in some high log4j and Tomcat vulnerabilities. Security team is saying we need to remediate or upgrade. I believe the machines originally had 10.7 or 10.8 and have been upgraded a couple times.
Curious if folks have had experience with this. My only thought is that upgrades and patches do not delete old jar files, and the security scans are just looking at version numbers. I know that old directories sometimes do not get deleted from doing some upgrades myself, but have never heard of a false positive for security vulnerabilities as an unintended result.