As previously announced in the following advisory and KB article, the Broadcom DLP solutions are not vulnerable to the Log4j2 vulnerabilities which were reported in December of 2021:

DLP not vulnerable to zero-day vulnerability CVE-2021-44228

DLP CVE-2021-44228 (broadcom.com)

The DLP solution does contain other Log4j libraries, however. Although they are not susceptible to the reported vulnerabilities, many of our customers have requested that all Log4j libraries be removed from the solution.

DLP versions 15.7 and 15.8

Removal of log4j components will eliminate false positives reported against these non-utilized 3rd party libraries in DLP.

Broadcom removed all log4j libraries with the release of DLP 15.8 Maintenance Pack 2 (GA date was 23 February 2022). 

In addition, a hotfix is available which will fully remove log4j libraries from currently supported versions of the Enforce Server and detection servers.

The hotfix, “Log4jRemovalScripts.zip”, is now available through the Broadcom Support portal for versions 15.7 and 15.8.

It can be found in the following locations:

• In the “15.8_Hotfixes_Server” section of the 15.8 product downloads.
• In the “DLP_15.7MP_Server” section of the 15.7 product downloads.

As per the "Readme" for the script, "This Hotfix can only be applied on Symantec Data Loss Prevention (15.7 & 15.8). 15.8 MP2 will remove the log4j files during the upgrade and does not need to be run if you have 15.8 MP2 installed."

Customers wanting to remove log4j elements from earlier releases of DLP will be required to upgrade to one of the versions listed above.