Software that has packaged a vulnerable version of the log4j library is considered vulnerable to CVE-2021-44228 or "log4shell". When I look at the NIST definition I can see that the vulnerable versions of log4j are listed, as well as configurations for applications from Cisco, Siemens and Intel which used the affected library.
This seems logical to me, as these applications are vulnerable and therefore should be listed. However, Vendors such as IBM, Dell, VMWare, Oracle have known instances of this vulnerability but have not added their lists to NIST. These are all large corporations that regularly publish vulnerability definitions to NIST, so this discrepancy seems odd.
What should the correct behavior be?
