We would like to know if it would be a possible workaroud to remove the SocketServer class and the JMSAppender class from the log4j-1.2.17 that is delivered in EEM.
Because due to their security rules those vulnerable files need to be removed from the server even if they do not use the functionality that has the vulnerability.
Release : 4.2
Component : Embedded Entitlements Manager 12.5
Broadcom has provided steps to remove these 2 classes from the jar files, since we do not use them.
The attached zip file has the directions.
see attached: EEM.log4j_1.x_wo_JMSAppender_SocketServer-selected.zip