The vulnerability information of the log4j1.x version specified by the Korea Internet & Security Agency.
(https://www.krcert.or.kr/data/secNoticeView.do?bulletin_writing_sequence=36389)
CVE-2021-4104
- 1.x version.
※ No vulnerability impact if you don't use JMSAppender
- CVE-2021-4104
· Modify or delete the code after checking to use the JMSAppender.
As above, it is stated to modify or delete the code when using the JMSAppender,
Symantec Identity manager Release : 14.4
CVE-2021-4104
· Modify or delete the code after checking to use the JMSAppender.
Identity Manager does not use the JMSAppender class anywhere directly.
Our product does not use the class and is not vulnerable because it is not implemented. So the mere presence of the class is not a vulnerability problem and you can request a waiver from your security team; or they can direct you in removing it.
You can delete the JMSAppender class under the direction of your security team, as needed.
However, if you have done any customization or integration with that class, removing it would affect your customization.