There are some log4j 1.2 files in Client Automation.

In Client Automation 14.0 SP3 and 14.0 SP5 :

 

log4j-1.2.8.jar could be found in these directories :

C:\Program Files (x86)\CA\DSM\database\lib
C:\Program Files (x86)\CA\SC\CIC\lib
C:\Program Files (x86)\CA\SC\CIC\Tomcat\webapps\CICManager\WEB-INF\lib

 

log4j-1.2.13.jar could be found in these directories :

C:\Program Files (x86)\CA\DSM\database\mdb_install\lib
C:\Program Files (x86)\CA\SC\Windows\lib

 

 

log4j-1.2.17.jar could be found in these directories :

 

In following article :

 

There is this note :

 

In Client Automation there are some log4j 1.2.* installed but JMSAppender is not used and not configured in log4j.properties files.

These files do not contain JMSAppender configuration 
 
C:\Program Files (x86)\CA\DSM\database\log4j.properties
C:\Program Files (x86)\CA\DSM\Web Console\webapps\AMS\WEB-INF\classes\log4j.properties

 

So Client Automation 14.* are not affected by the vulnerability CVE-2021-4104

 

Anyway the class file org/apache/log4j/net/JMSAppender.class is present in files log4j-1.2.8.jar, log4j-1.2.13 and log4j-1.2.17.jar
It is possible to remove this file from the log4j-1.2*.jar files to make sure that vulnerability CVE-2021-44228 could not be used :

1- Do a caf stop
caf stop

2- Open log4j-1.2.8.jar from one of the directories (see Cause section) with 7-zip and remove the file org/apache/log4j/net/JMSAppender.class
Copy the updated file into the 2 other directories

3- Open log4j-1.2.13.jar from one of the directories (see Cause section) with 7-zip and remove the file org/apache/log4j/net/JMSAppender.class
Copy the updated file into other directory

4- Open log4j-1.2.17.jar from one of the directories (See Cause section) with 7-zip and remove the file org/apache/log4j/net/JMSAppender.class
Copy the updated file into other directories.

5- Do a caf start

caf start