I will explain this in more details.
Apache log4j has two major releases: log4j 1.x (EOL) and log4j 2.x.
The vulnerable class is packaged as a part of log4j-core jar, and not log4j-api jar.
Since DLP includes log4j-api jar file and not log4j-core, it is not vulnerable to CVE-2021-44228.
log4j 1.x does not have Jndi class, and hence is automatically NOT vulnerable to log4shell (CVE-2021-44228).
In the patchset, Apache team also addressed a similar security issue in JMSAppender class (which is present in both log4j 1.x and log4j 2.x).
DLP Security team reviewed entire source code and concluded the JMS Appender functionality is not being used in DLP.
DLP ships log4j 1.x and only one jar file (log4j-api-2.x.jar) from log4j 2.x.
Given the above information, it is safe to conclude none of the log4j packages shipped with DLP are vulnerable to either CVE-2021-44228 or JMSAppender vulnerability.
Security scanners that flagged log4j-api vulnerable should be updated with this new information. We recommend customers update their scanner database on a regular basis. We have reports that Qualys scanner did flag log4j-api as being vulnerable, which is a false-positive