In following article :
https://cve.circl.lu/cve/CVE-2021-4104 :
There is this note :
"Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default."
In Client Automation there are some log4j 1.2.* installed but JMSAppender is not used and not configured in log4j.properties files.
These files do not contain JMSAppender configuration
C:\Program Files (x86)\CA\DSM\database\log4j.properties
C:\Program Files (x86)\CA\DSM\Web Console\webapps\AMS\WEB-INF\classes\log4j.properties
So Client Automation 14.* are not affected by the vulnerability CVE-2021-4104
Anyway the class file org/apache/log4j/net/JMSAppender.class is present in files log4j-1.2.8.jar, log4j-1.2.13 and log4j-1.2.17.jar
It is possible to remove this file from the log4j-1.2*.jar files to make sure that vulnerability CVE-2021-44228 could not be used :
1- Do a caf stop
caf stop
2- Open log4j-1.2.8.jar from one of the directories (see Cause section) with 7-zip and remove the file org/apache/log4j/net/JMSAppender.class
Copy the updated file into the 2 other directories
3- Open log4j-1.2.13.jar from one of the directories (see Cause section) with 7-zip and remove the file org/apache/log4j/net/JMSAppender.class
Copy the updated file into other directory
4- Open log4j-1.2.17.jar from one of the directories (See Cause section) with 7-zip and remove the file org/apache/log4j/net/JMSAppender.class
Copy the updated file into other directories.
5- Do a caf start
caf start