Luis Hi Luis, the internal discussion is ongoing. I cannot guarantee anything, but to summarize their discussion:
"We upgraded to 2.17.2 last year. It doesn’t have any direct vulnerabilities, but has ... vulnerabilities from dependencies ... Even the latest log4j version 2.21.1 also has vulnerabilities from dependencies ... However, we will discuss this with our security team and upgrade in upcoming releases accordingly. Hope this helps".
If necessary, you can follow up with IBM Support.