Release : 11.6.1 (SP01), 11.7

Component : Automation Point

Applying a patch to update the Apache Log4j version to a secure level results in the vulnerable version being copied to the "Program Files (x86)\CA\CA Automation Point\Backup\patch" directory. 

1. Manual removal of the backup directory or modules from within the backup directory will not impact the operation of the base product at the current patch level, but it is not recommended because doing so will cause the application of subsequent patches to fail. However, if the vulnerable Log4j files must be removed from the backup directory due to security concerns and/or corporate policy, a workaround is available that will still allow subsequent patches to be applied when necessary:
a. Prior to installing a new patch, uninstall the AP product. 
b. Download the AP base product from the Broadcom Support Portal and reinstall.
c. Apply the desired patch level. This will create a new backup directory.
d. Once again delete the unwanted Log4j files from the "Program Files (x86)\CA\CA Automation Point\Backup\patch" directory. Removing the unwanted files from the backup directory does not impact the operation of the product at the current patch level.
This process will need to be repeated each time a new patch installation is required after deleting the unwanted Log4j files from the "Program Files (x86)\CA\CA Automation Point\Backup\patch" directory.

2. An alternative better option. As of October 24, 2022, AP 11.7 SP01 was released where for improved security the Notification Manager is redesigned to use NodeJS and 3rd party dependencies on Tomcat and Java are removed (no further use of Apache Log4j). After upgrading to AP 11.7 SP01, Tomcat can be shutdown and both Java and Tomcat removed.
General Availability Announcement for OPS/MVS Automation Point 11.7 SP01
Automation Point 11.7.1 > Release Notes > Release Comparison

Direct link for all AP Product and Solutions downloads: https://support.broadcom.com/group/ecx/productdownloads?subfamily=AUTOMATION+POINT