As per https://knowledge.broadcom.com/external/article?articleId=230306, it mentions that IT PAM is not affected by the (CVE-2021-44228) vulnerability  as the Log4j version used in ITPAM (Log4j 1.2) is outside the affected range (Log4j 2.0 - 2.14.1).   It is also not affected by the (CVE-2021-4104) vulnerability  as it only affects Log4j 1.2 when specifically configured to use JMSAppender - which is not used in ITPAM (by default).  Having said that, would it be possible (with no impact to the application) 

to delete the log4j*.jar files on the installation folder? or doing so would impact and make the application unusable? 

Reason is that our security team still deamed that running a lower and unsupported versions of the log4j is poses a risk.

Release : 4.3

Component : Process Automation

While it is not possible to delete the log4j*.jar file from the ITPAM installation folder, the following is suggested to remediate the file to remove the classes that are being detected by the security scans for both EEM and ITPAM:

EEM:

If you are using EEM SDK and EEM Server please find the steps below in order to remove the JMSAppender and SocketServer classes from the JAR files.

Please copy the JARs into another server just to make sure that we have a backup.

1. eiam-log4j-1.2.15.jar

   Location: $EIAM/lib/jars

   zip -q -d eiam-log4j-1.2.15.jar com/ca/eiam/log4j/net/SocketServer.class
 
2. log4j-1.2.5.jar

  Location: $EIAM/lib/jars

  zip -q -d log4j-1.2.5.jar org/apache/log4j/net/SocketServer.class
  zip -q -d log4j-1.2.5.jar org/apache/log4j/net/JMSAppender.class
 
3. eiam-clustersetup.jar

  Location: $EIAM/bin
  
  zip -q -d eiam-clustersetup.jar com/ca/eiam/log4j/net/SocketServer.class
  
4. safeauditimport.jar

   Location: $EIAM/bin

   zip -q -d safeauditimport.jar org/apache/log4j/net/JMSAppender.class
   
5. safetool.jar

   Location: Application Server

   zip -q -d safetool.jar com/ca/eiam/log4j/net/SocketServer.class
   
6. Safe.jar
  
   Location: Application Server

   zip -q -d Safe.jar com/ca/eiam/log4j/net/SocketServer.class
   
   
Please stop the service before performing the above activities and start the services once done.

PAM:

For PAM please follow steps below in order to remove the JMSAppender and SocketServer classes from the JAR files.

Stop PAM service and start it back after following the steps below.

1. Safe-12.6.1.0 (Version may depend on PAM version)

It will be available at following locations:
a. <PAM>\server\c2o\.c2orepository\.c2oserverresources\lib
b. <PAM>\server\c2o\ext-lib
c. <PAM>\server\c2o\.install4j\user

zip -q -d Safe-12.6.1.0.jar com/ca/eiam/log4j/net/SocketServer.class

2. c2otransport-snapshot.jar (manual steps)

It will be available at following locations:
a. <PAM>\server\c2o\.c2orepository\.c2oserverresources\lib
b. <PAM>\server\c2o\.c2orepository\.c2oagentresources\lib\c2o\jars
c. <PAM>\CA\PAM435ISOCP06\server\c2o\ext-deploy

Open c2otransport-snapshot.jar with Zip utility(7-Zip or Winzip) and delete SocketServer.class and JMSAppender.class from \c2otransport-snapshot.jar\log4j-1.2.15.jar\org\apache\log4j\net\

For PAM Agents please follow steps below in order to remove the JMSAppender and SocketServer classes from the JAR files.

Stop PAMAgent service and start it back after following the steps below.

1. c2otransport-snapshot.jar (manual steps)

It will be available at following location:
<PAMAgent>\.c2orepository\.c2oagentresources\lib\c2o\jars

Open c2otransport-snapshot.jar with Zip utility(7-Zip or Winzip) and delete SocketServer.class and JMSAppender.class from \c2otransport-snapshot.jar\log4j-1.2.15.jar\org\apache\log4j\net\

2. log4j-1.2.15.jar (manual steps)

It will be available at these locations:

<PAMAgent>\.c2orepository\.c2oagentresources\lib
<PAMAgent>\.c2orepository\.c2ocommonresources\lib\log4j\jars

Commands to remove the problematic classes:

  zip -q -d log4j-1.2.15.jar org/apache/log4j/net/SocketServer.class
  zip -q -d log4j-1.2.15.jar org/apache/log4j/net/JMSAppender.class