Recent vulnerability scans have flagged new vulnerabilities related to Log4j based on the version of Log4j DCS runs. These vulnerabilities are:
CVE-2019-17571
CVE-2020-9448
CVE-2022-23302
CVE-2022-23305
CVE-2022-23307
https://logging.apache.org/log4j/1.2/
The location of these files are as follows:
C:\Program Files (x86)\Symantec\Data Center Security Server\Server\tomcat\lib\log4j-1.2.17.jar
C:\Program Files (x86)\Symantec\Data Center Security Server\Server\tomcat\symapps\console\sis-ui.war
C:\Program Files (x86)\Symantec\Data Center Security Server\Server\tomcat\symapps\console\sis-ui\WEB-INF\lib\log4j-1.2.17.jar
C:\Program Files (x86)\Symantec\Data Center Security Server\Server\tomcat\symapps\umc\umcservices\WEB-INF\lib\log4j-1.2.17.jar
C:\Program Files (x86)\Symantec\Data Center Security Server\Server\tomcat\symapps\umc\umcservices.war
A cross check was done to review DCS and its use of any vulnerable component from Log4j 1.2.17 from the mentioned vulnerability:
CVE-2019-17571
DCS Server 6.9.1 doesn't use SocketServer which is a vulnerable class so DCS Server 6.9.1 is not affected by this vulnerability
CVE-2020-9488
DCS Server 6.9.1 doesn't use SMTPAppender so it is not affected by this vulnerability
CVE-2022-23302
DCS Server 6.9.1 doesn't use JMSSink so it is not affected by this vulnerability
CVE-2022-23305
DCS Server 6.9.1 doesn't use JDBCAppender so it is not affected by this vulnerability
CVE-2022-23307
DCS Server 6.9.1 doesn't use chain saw components so it is not affected by this vulnerability
Please contact Broadcom support for any further questions regarding this topic.