Recent vulnerability scans have flagged new vulnerabilities related to Log4j based on the version of Log4j DCS runs. These vulnerabilities are:

CVE-2019-17571

CVE-2020-9448

CVE-2022-23302

CVE-2022-23305

CVE-2022-23307

https://logging.apache.org/log4j/1.2/

The location of these files are as follows:

C:\Program Files (x86)\Symantec\Data Center Security Server\Server\tomcat\lib\log4j-1.2.17.jar

C:\Program Files (x86)\Symantec\Data Center Security Server\Server\tomcat\symapps\console\sis-ui.war

C:\Program Files (x86)\Symantec\Data Center Security Server\Server\tomcat\symapps\console\sis-ui\WEB-INF\lib\log4j-1.2.17.jar

C:\Program Files (x86)\Symantec\Data Center Security Server\Server\tomcat\symapps\umc\umcservices\WEB-INF\lib\log4j-1.2.17.jar

C:\Program Files (x86)\Symantec\Data Center Security Server\Server\tomcat\symapps\umc\umcservices.war

A cross check was done to review DCS and its use of any vulnerable component from Log4j 1.2.17 from the mentioned vulnerability: 

CVE-2019-17571
DCS Server 6.9.1 doesn't use SocketServer which is a vulnerable class so DCS Server 6.9.1 is not affected by this vulnerability

CVE-2020-9488
DCS Server 6.9.1 doesn't use SMTPAppender so it is not affected by this vulnerability

CVE-2022-23302
DCS Server 6.9.1 doesn't use JMSSink so it is not affected by this vulnerability

CVE-2022-23305
DCS Server 6.9.1 doesn't use JDBCAppender so it is not affected by this vulnerability

CVE-2022-23307
DCS Server 6.9.1 doesn't use chain saw components so it is not affected by this vulnerability

Please contact Broadcom support for any further questions regarding this topic.