Since the discovery of the log4j vulnerability, we need to know if the Symantec Protection Engine (SPE) is vulnerable and if there is a patch that needs to be applied.

Impacted versions of Java 6, 7 and 8.  See Apache's site for details below.

According to the Apache's website, several Java vulnerability have been discovered.

Broadcom have released a hotfix to address this issue here: https://knowledge.broadcom.com/external/article?articleId=238072

SPE itself does not directly implement or interface with any Apache components, so this will not be applicable to the SPE service; thus, no patching is required.   However, a review or upgrade of the Java environment is recommended on older Java installations.

The only exposure you may have to a log4j vulnerability in the context of SPE would be around a couple of optional components/features:

1. If you're using the SPE REST API interface for scanning, the instructions for setup have you implement an instance of Apache Tomcat that acts as the listener to broker connections to the SPE service. This Tomcat instance will use log4j and any patches/mitigation steps would need to be applied to that Tomcat instance.

2. If your organization is using Liveupdate Administrator (LUA) for hosting and delivery of virus definitions, LUA contains an instance of Tomcat to host the websites for LUA, and any patches/mitigation steps would need to be applied to that Tomcat instance.

To follow Apache's latest recommendations, use the following:  Log4j – Apache Log4j Security Vulnerabilities