ITPAM log4j vulnerabilities
search cancel

ITPAM log4j vulnerabilities

book

Article ID: 236935

calendar_today

Updated On:

Products

CA Process Automation Base

Issue/Introduction

Question is about ITPAM and the JMSAppender vulnerability for log4j.  It happens that our security software has found additional vulnerabilities with the log4j version that is delivered with ITPAM and our security department needs to have these reviewed by the vendor and documented.  These are the additional CVEs:

CVE-2019-17571,CVE-2020-9488,CVE-2022-23302,CVE-2022-23305,CVE-2022-23307

This is being identified on the log4j file located in:

 ...\CA\PAM\activemq\lib\optional\log4j-1.2.17.jar

 

Our Security Department needs Broadcom to provide a response to each of the CVEs for Apache Log4j for ITPAM version:

Version: 04.3.04
Build: 04.3.425 - Mar 17, 2021 10:31:57 AM

If the implementation is NOT vulnerable they need to show why the implementation of log4j in the product is not vulnerable to each CVE. 

If the implementation IS vulnerable we need a date for the patch to correct it.

If Broadcom can not provide a reason for the false positive or a patch date, PHEAA will not be able to use the product anymore and our purchasing department will be in contact.

Details on each vulnerability that needs to be addressed:

• CVE-2021-44832 (CVSS score: 6.6) - remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server
• CVE-2021-44228 (CVSS score: 10.0) - A remote code execution vulnerability affecting Log4j versions from 2.0-beta9 to 2.14.1 (Fixed in version 2.15.0)
• CVE-2021-45046 (CVSS score: 9.0) - An information leak and remote code execution vulnerability affecting Log4j versions from 2.0-beta9 to 2.15.0, excluding 2.12.2 (Fixed in version 2.16.0)
• CVE-2021-45105 (CVSS score: 7.5) - A denial-of-service vulnerability affecting Log4j versions from 2.0-beta9 to 2.16.0 (Fixed in version 2.17.0)
• CVE-2021-4104 (CVSS score: 8.1) - An untrusted deserialization flaw affecting Log4j version 1.2 (No fix available; Upgrade to version 2.17.0)
• Nessus Plugin 156860 – (CVSS Score: 9.8)
o CVE-2019-17571 (CVSS Score: 9.8)
o CVE-2020-9488 (CVSS Score: 3.7)
o CVE-2022-23302 (no base score yet provided)
• https://thehackernews.com/2021/12/new-local-attack-vector-expands-attack.html
• https://www.tenable.com/cve/CVE-2021-44228
• https://www.tenable.com/cve/CVE-2021-45046
• https://www.tenable.com/cve/CVE-2021-45105
• https://www.tenable.com/cve/CVE-2021-4104

Environment

  • Release : 4.3

Component : Process Automation

Resolution

Log4j vulnerabilities and Remediations

  1. Stop the PAMServer and take backup of the PAMServer, Also stop the PAM Agent and take backup of the PAMAgent
  2. delete the < PAMServer >/activemq/lib/optional/log4j-1.2.17.jar
  3. Safe-12.6.1.0 .jar will be available at following locations in PAM server
    • <PAMServer>\server\c2o\.c2orepository\.c2oserverresources\lib
    • <PAMServer>\server\c2o\ext-lib
    • <PAMServer>\server\c2o\.install4j\user
  1. log4j-1.2.15.jar will be available at following locations in PAM server(1-3) and PAM Agent(4-5)

 

    1. <PAMServer>\server\c2o\.c2orepository\.c2ocommonresources\lib\log4j\jars
    2. <PAMServer>\server\c2o\.c2orepository\.c2oagentresources\lib
    3. <PAMAgentLocation>\PAMAgent\.c2orepository\.c2oagentresources\lib
    4. <PAMAgentLocation>\PAMAgent\temp\.c2oagentresources\lib
    5. <PAMAgentLocation>\PAMAgent\.c2orepository\.c2ocommonresources\lib\log4j\jars

 

  1. c2otransport-snapshot.jar (manual steps)

It will be available at following locations in PAM server (1-3) and PAM Agent (4)

    1. <PAMServer>\server\c2o\.c2orepository\.c2oserverresources\lib
    2. <PAMServer>\server\c2o\.c2orepository\.c2oagentresources\lib\c2o\jars
    3. <PAMServer>\CA\PAM435ISOCP06\server\c2o\ext-deploy
    4. <PAMAgentLocation>\PAMAgent\.c2orepository\.c2oagentresources\lib\c2o\jars

S No

CVE

Affected log4j

Version

Need Action in PAM

Solution/Remarks

 

1

CVE-2019-17571

1.2

Yes

1.       This is for SocketServer.class from org/apache/log4j/net package of log4j-1.2.15.jar and follow these instructions to delete from the affected jars as PAM is not using them

 

Log4j jar locations

·         <PAMServer>\server\c2o\.c2orepository\.c2ocommonresources\lib\log4j\jars

·         <PAMServer>\server\c2o\.c2orepository\.c2oagentresources\lib

·         <PAMAgentLocation>\PAMAgent\.c2orepository\.c2oagentresources\lib

·         <PAMAgentLocation>\PAMAgent\temp\.c2oagentresources\lib

·         <PAMAgentLocation>\PAMAgent\.c2orepository\.c2ocommonresources\lib\log4j\jars

Command to delete the class from jar

zip -q -d log4j-1.2.15.jar org/apache/log4j/net/SocketServer.class

 

Use the above command to delete the mentioned classes from the jar and this step should be done for the jar at all the locations

2.       SocketServer.class should be deleted from Safe-12.6.1.0.jar

Safe-12.6.1.0 .jar Locations

·         <PAMServer>\server\c2o\.c2orepository\.c2oserverresources\lib

·         <PAMServer>\server\c2o\ext-lib

·         <PAMServer>\server\c2o\.install4j\user

Command to delete the class from jar

zip -q -d Safe-12.6.1.0.jar com/ca/eiam/log4j/net/SocketServer.class

 

Use the above command to delete the mentioned classes from the jar and this step should be done for the jar at all the locations

 

 

3.       Also delete from c2otransport-snapshot.jar with winzip/7zip as below

 

C2o-transport-snapshot.jar locations

·         <PAMServer>\server\c2o\.c2orepository\.c2oserverresources\lib

·         <PAMServer>\server\c2o\.c2orepository\.c2oagentresources\lib\c2o\jars

·         <PAMServer>\CA\PAM435ISOCP06\server\c2o\ext-deploy

·         <PAMAgentLocation>\PAMAgent\.c2orepository\.c2oagentresources\lib\c2o\jars

Steps to delete the class from jar

Open c2otransport-snapshot.jar with Zip utility(7-Zip or Winzip) and delete SocketServer.class from \c2otransport-snapshot.jar\log4j-1.2.15.jar\org\apache\log4j\net

 

Perform the above step to delete the mentioned classes from the jar and this step should be done for the jar at all the locations

 

 

2

CVE-2020-9488

 

 

1.       This is for SMTPAppender.class from org/apache/log4j/net package of log4j-1.2.15.jar and follow these instructions to delete from the affected jars as PAM is not using them

 

Log4j jar locations

·         <PAMServer>\server\c2o\.c2orepository\.c2ocommonresources\lib\log4j\jars

·         <PAMServer>\server\c2o\.c2orepository\.c2oagentresources\lib

·         <PAMAgentLocation>\PAMAgent\.c2orepository\.c2oagentresources\lib

·         <PAMAgentLocation>\PAMAgent\temp\.c2oagentresources\lib

·         <PAMAgentLocation>\PAMAgent\.c2orepository\.c2ocommonresources\lib\log4j\jars

Command to delete the class from jar

zip -q -d log4j-1.2.15.jar org/apache/log4j/net/SMTPAppender$1.class

zip -q -d log4j-1.2.15.jar org/apache/log4j/net/SMTPAppender.class

 

Use the above commands to delete the mentioned classes from the jar and this step should be done for the jar at all the locations

 

2.       SMTPAppender.class does not exist in safe jar. No action required

 

3.       Also delete from c2otransport-snapshot.jar with 7zip as below

 

C2otransport-snapshot.jar locations

·         <PAMServer>\server\c2o\.c2orepository\.c2oserverresources\lib

·         <PAMServer>\server\c2o\.c2orepository\.c2oagentresources\lib\c2o\jars

·         <PAMServer>\CA\PAM435ISOCP06\server\c2o\ext-deploy

·         <PAMAgentLocation>\PAMAgent\.c2orepository\.c2oagentresources\lib\c2o\jars

 

Open c2otransport-snapshot.jar with Zip utility(7-Zip or Winzip) and delete SMTPAppender.class and SMTPAppender$1.class from \c2otransport-snapshot.jar\log4j-1.2.15.jar\org\apache\log4j\net

 

Perform the above step to delete the mentioned classes from the jar and this step should be done for the jar at all the locations

 

3

CVE-2022-23302

1.2

Yes

1.       This is for JMSSink.class from net package of log4j-1.2.15.jar and follow these instructions to delete from the affected jars as PAM is not using them

 

Log4j jar locations

·         <PAMServer>\server\c2o\.c2orepository\.c2ocommonresources\lib\log4j\jars

·         <PAMServer>\server\c2o\.c2orepository\.c2oagentresources\lib

·         <PAMAgentLocation>\PAMAgent\.c2orepository\.c2oagentresources\lib

·         <PAMAgentLocation>\PAMAgent\temp\.c2oagentresources\lib

·         <PAMAgentLocation>\PAMAgent\.c2orepository\.c2ocommonresources\lib\log4j\jars

Command to delete the class from jar

zip -q -d log4j-1.2.15.jar org/apache/log4j/net/JMSSink.class

 

Use the above command to delete the mentioned classes from the jar and this step should be done for the jar at all the locations

 

2.       JMSSink.class not existing in safe jar. so no action required on it

 

3.       Also delete from c2otransport-snapshot.jar with 7zip as below

 

C2otransport-snapshot.jar locations

·         <PAMServer>\server\c2o\.c2orepository\.c2oserverresources\lib

·         <PAMServer>\server\c2o\.c2orepository\.c2oagentresources\lib\c2o\jars

·         <PAMServer>\CA\PAM435ISOCP06\server\c2o\ext-deploy

·         <PAMAgentLocation>\PAMAgent\.c2orepository\.c2oagentresources\lib\c2o\jars

 

Open c2otransport-snapshot.jar with Zip utility(7-Zip or Winzip) and delete JMSSink.class from \c2otransport-snapshot.jar\log4j-1.2.15.jar\org\apache\log4j\net

 

Perform the above step to delete the mentioned classes from the jar and this step should be done for the jar at all the locations

 

4

CVE-2022-23305

1.x

Yes

1.       This is for jdbc classes from org.apache.log4j.jdbc package of log4j-1.2.15.jar and follow these instructions to delete from the affected jars as PAM is not using them

Log4j jar locations

·         <PAMServer>\server\c2o\.c2orepository\.c2ocommonresources\lib\log4j\jars

·         <PAMServer>\server\c2o\.c2orepository\.c2oagentresources\lib

·         <PAMAgentLocation>\PAMAgent\.c2orepository\.c2oagentresources\lib

·         <PAMAgentLocation>\PAMAgent\temp\.c2oagentresources\lib

·         <PAMAgentLocation>\PAMAgent\.c2orepository\.c2ocommonresources\lib\log4j\jars

Command to delete the class from jar

zip -q -d log4j-1.2.15.jar org/apache/log4j/jdbc*

 

Use the above command to delete the mentioned classes from the jar and this step should be done for the jar at all the locations

 

2.       This is for jdbc  classes from com.ca.eiam.log4j.jdbc package of Safe-12.6.1.0.jar  and follow these instructions to delete from the affected jars as PAM is not using them

Safe-12.6.1.0 .jar Locations

·         <PAMServer>\server\c2o\.c2orepository\.c2oserverresources\lib

·         <PAMServer>\server\c2o\ext-lib

·         <PAMServer>\server\c2o\.install4j\user

Command to delete the class from jar

zip -q -d Safe-12.6.1.0.jar com/ca/eiam/log4j/jdbc*

 

Use the above command to delete the mentioned classes from the jar and this step should be done for the jar at all the locations

3.       Also delete from c2otransport-snapshot.jar with 7zip as below

 

c2otransport-snapshot.jar locations

·         <PAMServer>\server\c2o\.c2orepository\.c2oserverresources\lib

·         <PAMServer>\server\c2o\.c2orepository\.c2oagentresources\lib\c2o\jars

·         <PAMServer>\CA\PAM435ISOCP06\server\c2o\ext-deploy

·         <PAMAgentLocation>\PAMAgent\.c2orepository\.c2oagentresources\lib\c2o\jars

 

Open c2otransport-snapshot.jar with Zip utility(7-Zip or Winzip) and delete jdbc folder from \c2otransport-snapshot.jar\log4j-1.2.15.jar\org\apache\log4j\

 

Perform the above step to delete the mentioned classes from the jar and this step should be done for the jar at all the locations

 

5

CVE-2022-23307

1.2x

Yes

1.       This is for chainsaw  classes from org.apache.log4j.chainsaw package of log4j-1.2.15.jar and follow these instructions to delete from the affected jars as PAM is not using them

Log4j jar locations

·         <PAMServer>\server\c2o\.c2orepository\.c2ocommonresources\lib\log4j\jars

·         <PAMServer>\server\c2o\.c2orepository\.c2oagentresources\lib

·         <PAMAgentLocation>\PAMAgent\.c2orepository\.c2oagentresources\lib

·         <PAMAgentLocation>\PAMAgent\temp\.c2oagentresources\lib

·         <PAMAgentLocation>\PAMAgent\.c2orepository\.c2ocommonresources\lib\log4j\jars

Command to delete the class from jar

zip -q -d log4j-1.2.15.jar org/apache/log4j/chainsaw*

 

Use the above command to delete the mentioned classes from the jar and this step should be done for the jar at all the locations

 

2.       This is for chainsaw  classes from com.ca.eiam.log4j.chainsaw package of Safe-12.6.1.0.jar  and follow these instructions to delete from the affected jars as PAM is not using them

Safe-12.6.1.0 .jar Locations

·         <PAMServer>\server\c2o\.c2orepository\.c2oserverresources\lib

·         <PAMServer>\server\c2o\ext-lib

·         <PAMServer>\server\c2o\.install4j\user

Command to delete the class from jar

zip -q -d Safe-12.6.1.0.jar com/ca/eiam/log4j/chainsaw*

 

Use the above command to delete the mentioned classes from the jar and this step should be done for the jar at all the locations

 

 

3.       Also delete from c2otransport-snapshot.jar with 7zip as below

 

c2otransport-snapshot.jar locations

·         <PAMServer>\server\c2o\.c2orepository\.c2oserverresources\lib

·         <PAMServer>\server\c2o\.c2orepository\.c2oagentresources\lib\c2o\jars

·         <PAMServer>\CA\PAM435ISOCP06\server\c2o\ext-deploy

·         <PAMAgentLocation>\PAMAgent\.c2orepository\.c2oagentresources\lib\c2o\jars

 

Open c2otransport-snapshot.jar with Zip utility(7-Zip or Winzip) and delete chainsaw folder from \c2otransport-snapshot.jar\log4j-1.2.15.jar\org\apache\log4j\

 

Perform the above step to delete the mentioned classes from the jar and this step should be done for the jar at all the locations

 

6

CVE-2021-44832

2.x

No

This is about jdbc classes and it is already taken care in 4th CVE in the table

 

7

CVE-2021-44228

2.x

No

 

8

CVE-2021-45046

2.x

No

 

9

CVE-2021-45105

2.x

No

 

10

CVE-2021-4104

1.2

Yes

1.       This is for JMSAppender.class from org.apache.log4j.net package of log4j-1.2.15.jar and follow these instructions to delete from the affected jars as PAM is not using them

 

Log4j jar locations

·         <PAMServer>\server\c2o\.c2orepository\.c2ocommonresources\lib\log4j\jars

·         <PAMServer>\server\c2o\.c2orepository\.c2oagentresources\lib

·         <PAMAgentLocation>\PAMAgent\.c2orepository\.c2oagentresources\lib

·         <PAMAgentLocation>\PAMAgent\temp\.c2oagentresources\lib

·         <PAMAgentLocation>\PAMAgent\.c2orepository\.c2ocommonresources\lib\log4j\jars

Command to delete the class from jar

zip -q -d log4j-1.2.15.jar org/apache/log4j/net/JMSAppender.class

 

Use the above command to delete the mentioned classes from the jar and this step should be done for the jar at all the locations

 

2.       JMSAppender.class not existing in safe jar. so no action required on it

 

3.       Also delete from c2otransport-snapshot.jar with 7zip as below

C2otransport-snapshot.jar locations

·         <PAMServer>\server\c2o\.c2orepository\.c2oserverresources\lib

·         <PAMServer>\server\c2o\.c2orepository\.c2oagentresources\lib\c2o\jars

·         <PAMServer>\CA\PAM435ISOCP06\server\c2o\ext-deploy

·         <PAMAgentLocation>\PAMAgent\.c2orepository\.c2oagentresources\lib\c2o\jars

 

Open c2otransport-snapshot.jar with Zip utility(7-Zip or Winzip) and delete JMSAppender.class from \c2otransport-snapshot.jar\log4j-1.2.15.jar\org\apache\log4j\net

 

Perform the above step to delete the mentioned classes from the jar and this step should be done for the jar at all the locations

 

11

https://thehackernews.com/2021/12/new-local-attack-vector-expands-attack.html

CVE-2021-45105

2.x

No

 

12

https://www.tenable.com/cve/CVE-2021-44228

2.x

No

 

13

https://www.tenable.com/cve/CVE-2021-45046

2.x

No

 

14

https://www.tenable.com/cve/CVE-2021-45105

2.x

No

 

15

https://www.tenable.com/cve/CVE-2021-4104

1.2

Yes

This is about JMSAppender class and it is already taken care in 10th CVE in the table

To simplify and consolidate the recommended remediations, follow these instructions:

*** On Windows you will need 7-Zip

Before you begin, make sure to shut down all ITPAM processes.

1. Locate all copies of the "log4j-1.2.15.jar" file with this command:

   On Windows it looks like this:
   dir /b/s C:\Temp\log4j-1.2.15.jar
   
   On Linux it looks like this:
   find / -name log4j-1.2.15.jar 2>/dev/null
   
   For example (Windows):
   C:\Users\Administrator>dir /b/s \log4j-1.2.15.jar
   C:\Program Files\CA\PAM\server\c2o\.c2orepository\.c2oagentresources\lib\log4j-1.2.15.jar
   C:\Program Files\CA\PAM\server\c2o\.c2orepository\.c2ocommonresources\lib\log4j\jars\log4j-1.2.15.jar
   C:\Program Files\CA\PAM\server\c2o\.install4j\user\log4j-1.2.15.jar
   
   For example (Linux):
   [root@olnx79-orcl122 ~]# find / -name log4j-1.2.15.jar 2>/dev/null
   /opt/CA/PAM/server/c2o/.c2orepository/.c2oagentresources/lib/log4j-1.2.15.jar
   /opt/CA/PAM/server/c2o/.c2orepository/.c2ocommonresources/lib/log4j/jars/log4j-1.2.15.jar
   /opt/CA/PAM/server/c2o/.install4j/user/log4j-1.2.15.jar
   
2. For each of the copies of log4j-1.2.15.jar found on the computer, perform these steps:
   a. Change Directory to the folder containing the jar file.
   
      For example (Windows):
      cd C:\Program Files\CA\PAM\server\c2o\.c2orepository\.c2oagentresources\lib
   
   For example (Linux):
   [root@olnx79-orcl122 ~]# cd /opt/CA/PAM/server/c2o/.c2orepository/.c2oagentresources/lib
   
   b. Make a backup copy of the jar file.
   
      For example (Windows):
      copy log4j-1.2.15.jar log4j-1.2.15.jar_backup

   For example (Linux):
   [root@olnx79-orcl122 lib]# cp log4j-1.2.15.jar log4j-1.2.15.jar_backup
   
   c. Use zip utility on Linux, or winzip or 7-zip on Windows to delete the problematic classes from the jar file
      
   For Linux it would look like this:
      zip -q -d log4j-1.2.15.jar org/apache/log4j/net/SocketServer.class
      zip -q -d log4j-1.2.15.jar org/apache/log4j/net/SMTPAppender\$1.class
      zip -q -d log4j-1.2.15.jar org/apache/log4j/net/SMTPAppender.class
      zip -q -d log4j-1.2.15.jar org/apache/log4j/net/JMSSink.class
      zip -q -d log4j-1.2.15.jar org/apache/log4j/jdbc*
      zip -q -d log4j-1.2.15.jar org/apache/log4j/chainsaw*
      zip -q -d log4j-1.2.15.jar org/apache/log4j/net/JMSAppender.class
      
      For 7-Zip it would look like this:
      7z d log4j-1.2.15.jar org/apache/log4j/net/SocketServer.class
      7z d log4j-1.2.15.jar org/apache/log4j/net/SMTPAppender$1.class
      7z d log4j-1.2.15.jar org/apache/log4j/net/SMTPAppender.class
      7z d log4j-1.2.15.jar org/apache/log4j/net/JMSSink.class
      7z d log4j-1.2.15.jar org/apache/log4j/jdbc*
      7z d log4j-1.2.15.jar org/apache/log4j/chainsaw*
      7z d log4j-1.2.15.jar org/apache/log4j/net/JMSAppender.class
   
   Repeat these same steps for each log4j-1.2.15.jar file found on the computer.

3. Locate all copies of the "safe-12.6.1.0.jar" file with this command:

   On Windows it looks like this:
   dir /b/s \safe-12.6.1.0.jar
   
   On Linux it looks like this:
   find / -name Safe-12.6.1.0.jar 2>/dev/null

   For example (Windows):
   C:\Users\Administrator>dir /b/s \safe-12.6.1.0.jar
   C:\Program Files\CA\PAM\server\c2o\.c2orepository\.c2oserverresources\lib\Safe-12.6.1.0.jar
   C:\Program Files\CA\PAM\server\c2o\.install4j\user\Safe-12.6.1.0.jar
   C:\Program Files\CA\PAM\server\c2o\ext-lib\Safe-12.6.1.0.jar
   
   For example (Linux):
   [root@olnx79-orcl122 lib]# find / -name Safe-12.6.1.0.jar 2>/dev/null
   /opt/CA/PAM/server/c2o/.c2orepository/.c2oserverresources/lib/Safe-12.6.1.0.jar
   /opt/CA/PAM/server/c2o/.install4j/user/Safe-12.6.1.0.jar
   /opt/CA/PAM/server/c2o/ext-lib/Safe-12.6.1.0.jar

4. For each of the copies of safe-12.6.1.0.jar found on the computer, perform these steps:
   a. Change Directory to the folder containing the jar file.
   
      On Windows it looks like this:
      cd C:\Program Files\CA\PAM\server\c2o\.c2orepository\.c2oserverresources\lib
   
   On Linux it looks like this:
   [root@olnx79-orcl122 lib]# cd /opt/CA/PAM/server/c2o/.c2orepository/.c2oserverresources/lib
   
   b. Make a backup copy of the jar file.
   
      On Windows it looks like this:
      copy Safe-12.6.1.0.jar Safe-12.6.1.0.jar_backup
   
   On Linux it looks like this:
   [root@olnx79-orcl122 lib]# cp Safe-12.6.1.0.jar Safe-12.6.1.0.jar_backup
   
   c. Use zip utility on Linux, or winzip or 7-zip on Windows to delete the problematic classes from the jar file
      
   For Linux it would look like this:
      zip -q -d Safe-12.6.1.0.jar com/ca/eiam/log4j/net/SocketServer.class
      zip -q -d Safe-12.6.1.0.jar com/ca/eiam/log4j/jdbc*
      zip -q -d Safe-12.6.1.0.jar com/ca/eiam/log4j/chainsaw*
      
      For 7-Zip it would look like this:
      7z d Safe-12.6.1.0.jar com/ca/eiam/log4j/net/SocketServer.class
      7z d Safe-12.6.1.0.jar com/ca/eiam/log4j/jdbc*
      7z d Safe-12.6.1.0.jar com/ca/eiam/log4j/chainsaw*

5. Locate all copies of the "c2otransport-snapshot.jar" file with this command:

   On Windows it looks like this:
   dir /b/s \c2otransport-snapshot.jar
   
   On Linux it looks like this:
   find / -name c2otransport-snapshot.jar 2>/dev/null
   
   For example (Windows):
   C:\Users\Administrator>dir /b/s \c2otransport-snapshot.jar
   C:\Program Files\CA\PAM\server\c2o\.c2orepository\.c2oagentresources\lib\c2o\jars\c2otransport-snapshot.jar
   C:\Program Files\CA\PAM\server\c2o\.c2orepository\.c2oserverresources\lib\c2otransport-snapshot.jar
   C:\Program Files\CA\PAM\server\c2o\.install4j\user\c2otransport-snapshot.jar
   C:\Program Files\CA\PAM\server\c2o\ext-deploy\c2otransport-snapshot.jar
   
   For example (Linux):
   [root@olnx79-orcl122 lib]# find / -name c2otransport-snapshot.jar 2>/dev/null
   /opt/CA/PAM/server/c2o/.c2orepository/.c2oagentresources/lib/c2o/jars/c2otransport-snapshot.jar
   /opt/CA/PAM/server/c2o/.c2orepository/.c2oserverresources/lib/c2otransport-snapshot.jar
   /opt/CA/PAM/server/c2o/.install4j/user/c2otransport-snapshot.jar
   /opt/CA/PAM/server/c2o/ext-deploy/c2otransport-snapshot.jar
   
6. For each of the copies of c2otransport-snapshot.jar found on the computer, perform these steps:
   a. Change Directory to the folder containing the jar file.  For example:

      On Windows it looks like this:
      cd C:\Program Files\CA\PAM\server\c2o\.c2orepository\.c2oagentresources\lib\c2o\jars
   
   On Linux it looks like this:
   [root@olnx79-orcl122 lib]# cd /opt/CA/PAM/server/c2o/.c2orepository/.c2oagentresources/lib/c2o/jars
   
   b. Make a backup copy of the jar file.  For example:

      On Windows it looks like this:
      copy c2otransport-snapshot.jar c2otransport-snapshot.jar_backup

   On Linux it looks like this:
      [root@olnx79-orcl122 jars]# cp c2otransport-snapshot.jar c2otransport-snapshot.jar_backup

   c. Check to see if a copy of log4j-1.2.15.jar already exists in the same folder.  For example:

      On Windows it looks like this:
      dir log4j-1.2.15.jar
   
   On Linux it looks like this:
      [root@olnx79-orcl122 jars]# ls log4j-1.2.15.jar
      ls: cannot access log4j-1.2.15.jar: No such file or directory
   (in this case no jar file was found)   
   
   d. If a copy of the log4j-1.2.15.jar does not exist, copy one of the already existing log4j-1.2.15.jar files into this folder.  For example:

      On Windows it looks like this:
      copy "C:\Program Files\CA\PAM\server\c2o\.c2orepository\.c2oagentresources\lib\log4j-1.2.15.jar"

   On Linux it looks like this:
      cp /opt/CA/PAM/server/c2o/.c2orepository/.c2oagentresources/lib/log4j-1.2.15.jar .

   e. Update the copy of log4j-1.2.15.jar packaged inside of c2otransport-snapshot.jar
   
      For Linux it would look like this:
   zip -r c2otransport-snapshot.jar log4j-1.2.15.jar
   
      For 7-Zip it would look like this:
      7z u c2otransport-snapshot.jar log4j-1.2.15.jar

   f. If you copied a log4j-1.2.15.jar file into this folder in step 6d, you will now need to delete it.  If the file was already there in the folder, do NOT delete it.

      On Windows it looks like this:
      del log4j-1.2.15.jar
   
   On Linux it looks like this:
   rm -f log4j-1.2.15.jar

   

Additional Information

Log4j issues are addressed in ITPAM 4.3.05 CP06

https://techdocs.broadcom.com/us/en/ca-enterprise-software/intelligent-automation/automic-process-automation/04-3-05/release-notes/itpam-4-3-5-cp06-readme.html

Please upgrade to CP06 and later if you can