according to the release notes it has newer log4j version - https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-vcenter-server-70u3d-release-notes.html
Apache log4j is updated to version 2.17.1.
Hi, did you manage to get any more information regarding this. Similar to yourself Nessus picks up the same vulnerabilities due to the packages still being there even after upgrade.
Would be nice to get an official VMware response regarding this.
I can't speak to the specifics of the SecureStrux solution, but I can say our Tenable/Nessus gives both 7.0 U3C and U3E (build 19717403) a clean bill of health. I've definitely seen Nessus in the past see some remnant of an older package and then flag it as bad (just because the installer didn't clean up the old structure) but I don't know if that's what ACAS is seeing or what...
Hope that helps