To remediate Log4J CVE-2021-44228, customer's Cybersecurity teams have suggested to manually remove JNDILookup.class from log4j-core*.jar from Advanced Authentication's web applications like  arcotadmin, arcotuds etc. Is this a certified remediation by Broadcom Engineering ?

Release : 9.1

Component :AuthMinder(Arcot WebFort)

RiskMinder(Arcot RiskFort)

Log4J CVE-2021-44228 vulnerability

Broadcom has not certified the manual approach to remove JNDILookup.class from log4j-core*.jar from Advanced Authentication's web applications like  arcotadmin, arcotuds etc. Advanced Authentication team has provided the patches which incorporates the latest Jar files in the product, Additionally we provided steps to manually upgrade/Update the latest Apache Jar files in case if any additional vulnerabilities are found, Please refer the KB article listed in Additional information section for detailed information.

Also refer to this KB article

https://knowledge.broadcom.com/external/article?articleId=230301