SOI 4.2 CU2 is using log4j 1.2.17 which is affected by CVE-2021-4104
The deletion of the JMSAppender class seems to be a general recommendation from other products.
Can the class be disabled in SOI as well or will it lead to errors?
Release : 4.2
Component : Service Operations Insight (SOI) Manager
Official statement from SOI product management:
SOI is not impacted with this JMSAppender vulnerability (reported on log4j 1.x) out of the box because we extended a few classes from this JMSAppender class and are using a different configuration file to load the configuration.
So the attacker needs to have access to this configuration file to exploit this vulnerability, without which it cannot be exploited
The JMSAppender class from the log4j libraries cannot/ should not be removed, as it will impact the functioning of SOI because we have extended this class.
Regarding log4j 2.x upgrade, we are in the process of analyzing this upgrade.
An initial analysis suggests that a large number of changes are required for this upgrade and it won't be a part of the upcoming CU3 release.
It will be included in a future cumulative post CU3 to which we do not have an exact timeline yet given we are to size this effort. We will keep our customers posted as and when we progress and plan to include log4j 2.x upgrade in the upcoming cumulatives.