Log4j 1.2 versions are EOL per Apache, does CA/Broadcom have plans to remove an EOL Log4j?
https://logging.apache.org/log4j/1.2/
On August 5, 2015 the Logging Services Project Management Committee announced that Log4j 1.x had reached end of life. For complete text of the announcement please see the Apache Blog. Users of Log4j 1 are recommended to upgrade to Apache Log4j 2.
When will Performance Management update to log4j2?
Does Performance Management use log4j2
Release : 21.2.x
Netops Portal/PC:
------------------------
Starting on 21.2.8, around 99% of the code is already using log4j2. Due to a problem with CABI, the remaining part of the code is (targeted) to be fixed on 21.2.9 or 21.2.10 at maximum.
Data Aggregator (DA) and Data Collector (DC):
--------------------------------------------------------------
As of 21.2.7 log4j has been updated to log4j2 on the DA and DC except for the log4j in Activemq (AMQ). We're dependent on the community updating the AMQ 3rd party software. Currently there is no ETA for AMQ 5.17.0 that will have the log4j2 update. Once it is released we will be upgrading AMQ.
OBS: 21.2.9 will have the AMQ 5.16.4 which replaces log4j 1.2.17 with reload4j 1.2.19 which resolves the vulnerabilities in 1.2.17.
Data Repository (DR)/Vertica:
----------------------------------------
The vulnerability is fixed in Vertica 10.1.1-14+ version, and it will be shipped in a future DX Netops version (currently there is no ETA for this). Since we do not use kafka in Vertica, it can be safely uninstalled.