Step 4 of the HOLDDATA for AAM PTF LU04132 contains the following:
If you are using CAAAMRSA factor and cannot immediately enable the
RSA SecurID Authentication API (REST) support you can continue to use
the RSA SecurID Authentication API for C and Java (SDK) until you are
ready. You will need to copy the RSA provided log4j-1.2.12rsa-1.jar to
the RSA_HOME directory where authapi.jar and cryptoj.jar are located.
Log4j is no longer provided by mfav1.jar
Does this step need to be completed? How can a site determine if log4j is being used?
Release : 2.0
Component : Advanced Authentication Mainframe
AAM is not affected by the more serious CVE 2021-44228 Vulnerability applicable to log4j 2.x.
LU04132 contains remediation for the less severe log4j CVE-2021-4104 Vulnerability. The PTF removes a previously bundled Log4j v1.2.17 in mfav1.jar. If a site is not using RSA SecurID Authentication/CAAMRSA factor, then this process can be ignored. This is the only portion of AAM that was affected by the less severe log4j Vulnerability.
This version of log4j is used by RSA SDK code. The last step in the HOLDDATA indicates that if using the CAAAMRSA factor for RSA SecurID Authentication, either the REST API functionality will need to be activated instead of using the SDK or you the manual configuration step will need to be performed as indicated in the HOLDDATA. We strongly encourage moving to the REST API as soon as possible as the SDK has been depreciated. If moving to the REST API, the steps detailed below do not need to be completed.
To continue using the SDK:
Note: RSA Link account credentials are required to access the archive.
For additional information see Advanced Authentication Mainframe 2.0 Log4j 1.2.x vulnerability CVE-2021-4104