Are any of the components of CA Process Automation affected by the log4j vulnerability that was announced recently - CVE-2021-44228 or CVE-2021-4104?
Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled
CA Process Automation: All supported versions
Supported versions of CA Process Automation can be found here: CA Process Automation Release and Support Lifecycle Dates
Service Operations Insight (SOI) in not affected by the log4j zero day vulnerability
However, the Ca Help Desk Connector is:
CA Embedded Entitlements Manager(EEM) is not affected by the log4j zero day vulnerability
The following related vulnerabilites (regarding RCE or Remote Code Execution) are also not affected for PAM. PAM 4.3.04 uses log4j 1.x and JMSAppender is not configured and enabled by default so ITPAM is not affected.