PIM 12.8SP1 and PAMSC 14.1 Endpoints have "log4j-1.2.17" installed on them specific for the integration with Arcot. Based on CVE-2019-17571 and CVE-2021-4104, this module may be vulnerable if used in certain configurations but is not vulnerable in the default configuration.

Privileged Identity Manager 12.8

PAM Server Control 14.x

If the Arcot integration feature is not being used with the endpoints, the file  /opt/CA/AccessControl/lbin/java/arcot/log4j-1.2.17.jar can be deleted.

If this integration is used with the endpoints, please contact Broadcom support for further discussion.

After reviewing this feature usage in our client base, product management has decided to remove this from all new installs going forward.

https://nvd.nist.gov/vuln/detail/CVE-2019-17571

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571

https://logging.apache.org/log4j/1.2/