I'm running log4j-sniffer against neo4j 4.4.32 and the result is true for log4j vulnerability, as you can see below:
[INFO] Found JndiLookup class not in the log4j package at org/neo4j/logging/shaded/log4j/core/lookup/JndiLookup.class
[INFO] Found JndiManager class not in the log4j package at org/neo4j/logging/shaded/log4j/core/net/JndiManager.class
[INFO] Found JndiManager class that had identical bytecode instruction as a known version at org/neo4j/logging/shaded/log4j/core/net/JndiManager.class
[MATCH] invalid version - unknown CVE status detected in file d:\neo4j-community-4.4.32\lib\neo4j-logging-4.4.32.jar. log4j versions: unknown. Reasons: JndiLookup class name matched
Files affected by CVE-2021-44228 or CVE-2021-45046 or CVE-2021-45105 or CVE-2021-44832 detected: 1 file(s)
194 total files scanned, skipped identifying 0 files due to config, skipped 0 paths due to permission denied errors, encountered 0 errors processing paths
what is interesting is the CVE reported are all CVE-2021-##### i.e. CVEs reported some 3 yrs ago.
the 1st CVE referenced CVE-2021-44228 and as described at CVE - CVE-2021-44228 indicates
Description
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages .... ..... From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed.
and yet the ./META-INF/maven/org.apache.logging.log4j/log4j-core/pom.xml as part of 4.4.32\lib\neo4j-logging-4.4.32.jar reports