Log4j vulnerability patches provided for AA 9.1.x still allow a "risk-restapi.war" file (in <ARCOT_HOME>\java\webapps) that uses un-remediated Log4J JAR files with versions older than the recommended version Log4j 2.17.
Release : 9.1.x
Component : RiskMinder ( Arcot Riskfort) CA Risk Authentication
In 9.1.x that is patched for Log4J vulnerability, the "risk-restapi,war" file (in <ARCOT_HOME>\java\weapps) sill make references to un-remediated Log4J JAR files with versions older than the recommended version Log4j 2.17.
In the latest versions, please use aa-restapi.war, which is a cumulative WAR to use for AA REST API. The "risk-restapi,war" is carried over from older releases and should not be deployed/used. Refer to this AA document link - https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/advanced-authentication/9-1/release-notes-9-1/deprecated-components.html. This link calls out old Risk REST APIs as deprecated.