Is NetOps Performance Management 21.2.x affected by these log4j 1 vulnerabilities ?
CVE-2022-23302: JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23302
CVE-2022-23305: By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23305
CVE-2022-23307: CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23307
Release : 21.2
Component : PM Web UI Admininistration/Configuration
Performance Management 21.2.x is not affected by these vulnerabilities as it doesn't use any of the vulnerable class and appenders mentioned in the CVE's (JMSSink, JDBCAppender, SocketAppender).
See the following for log4 versions used by Netops version.
https://knowledge.broadcom.com/external/article?articleId=235074