Are any of the components of CA Process Automation affected by the log4j vulnerability that was announced recently - CVE-2021-44228 or CVE-2021-4104?

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled

CA Process Automation: All supported versions

Supported versions of CA Process Automation can be found here: CA Process Automation Release and Support Lifecycle Dates

CA Process Automation, a.k.a. ITPAM (all supported versions) is not affected by this vulnerability (CVE-2021-44228) as the Log4j version used in ITPAM (Log4j 1.2) is outside the affected range (Log4j 2.0 - 2.14.1).

CA Process Automation, a.k.a. ITPAM (all supported versions) is not affected by this vulnerability (CVE-2021-4104) as it only affects Log4j 1.2 when specifically configured to use JMSAppender - which is not used in ITPAM (by default).

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

Service Operations Insight (SOI) in not affected by the log4j zero day vulnerability

However, the Ca Help Desk Connector is:

https://knowledge.broadcom.com/external/article/230292/

CA Embedded Entitlements Manager(EEM) is not affected by the log4j zero day vulnerability

https://knowledge.broadcom.com/external/article/230311/

The following related vulnerabilites (regarding RCE or Remote Code Execution) are also not affected for PAM.  PAM 4.3.04 uses log4j 1.x and JMSAppender is not configured and enabled by default so ITPAM is not affected.

Apache Log4j < 2.15.0 Remote Code Execution (Windows)
https://www.tenable.com/plugins/nessus/156002

Apache Log4j 2.0 < 2.3.2 / 2.4 < 2.12.4 / 2.13 < 2.17.1 RCE
https://www.tenable.com/plugins/nessus/156327