Our security team has brought up CVEs below that may be impacting these Log4J versions as well. I wanted to check and see if these are non-impacting to Identity Manager and the reasoning for that so I can relay back to our security team. If they are impacting, is there remediation that can be done or expected upgrades in future patches?
<IDM_HOME>\Connector Server SDK\connectors\sdkws\resources\endpoint\war\WEB-INF\lib\log4j-1.2.15
<IDM_HOME>\IAM Suite\Identity Manager\tools\SelectiveExportUtility\log4j-1.2.16
<IDM_HOME>\IAM Suite\Identity Manager\tools\Workpoint\lib\axis\log4j-1.2.8
<IDM_HOME>\IAM Suite\Identity Manager\tools\Workpoint\src\wpPPCO\WEB-INF\lib\log4j-1.2.17
<IDM_HOME>\IAM Suite\Identity Manager\tools\Workpoint\src\wpWebframe\WEB-INF\lib\log4j-1.2.17
For CVE-2022-23302 - Identity Manager is not vulnerable. - Engineering has validated that we do not use JNDI Appender,
For CVE-2022-23305 - Identity Manager is not vulnerable. - Engineering has validated that we do not use JDBC Appender,
For CVE-2022-23307 - Identity Manager is not vulnerable. - Engineering validated that we do not use the thick client to view log4j entries.
As we are not vulnerable these various JARS have been put into the development teams hands to work towards updating / removing these Jar files from the product.
Optionally, and at your own risk, you can optionally follow the information from the below Red Hat site to remove the class files from the jar files.
Ensure anything pulled from the jar files is backed up before removing any files from the out of the box provided jar files.