Question is about ITPAM and the JMSAppender vulnerability for log4j. It happens that our security software has found additional vulnerabilities with the log4j version that is delivered with ITPAM and our security department needs to have these reviewed by the vendor and documented. These are the additional CVEs:
CVE-2019-17571,CVE-2020-9488,CVE-2022-23302,CVE-2022-23305,CVE-2022-23307
This is being identified on the log4j file located in:
...\CA\PAM\activemq\lib\optional\log4j-1.2.17.jar
Our Security Department needs Broadcom to provide a response to each of the CVEs for Apache Log4j for ITPAM version:
Version: 04.3.04
Build: 04.3.425 - Mar 17, 2021 10:31:57 AM
If the implementation is NOT vulnerable they need to show why the implementation of log4j in the product is not vulnerable to each CVE.
If the implementation IS vulnerable we need a date for the patch to correct it.
If Broadcom can not provide a reason for the false positive or a patch date, PHEAA will not be able to use the product anymore and our purchasing department will be in contact.
Details on each vulnerability that needs to be addressed:
• CVE-2021-44832 (CVSS score: 6.6) - remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server
• CVE-2021-44228 (CVSS score: 10.0) - A remote code execution vulnerability affecting Log4j versions from 2.0-beta9 to 2.14.1 (Fixed in version 2.15.0)
• CVE-2021-45046 (CVSS score: 9.0) - An information leak and remote code execution vulnerability affecting Log4j versions from 2.0-beta9 to 2.15.0, excluding 2.12.2 (Fixed in version 2.16.0)
• CVE-2021-45105 (CVSS score: 7.5) - A denial-of-service vulnerability affecting Log4j versions from 2.0-beta9 to 2.16.0 (Fixed in version 2.17.0)
• CVE-2021-4104 (CVSS score: 8.1) - An untrusted deserialization flaw affecting Log4j version 1.2 (No fix available; Upgrade to version 2.17.0)
• Nessus Plugin 156860 – (CVSS Score: 9.8)
o CVE-2019-17571 (CVSS Score: 9.8)
o CVE-2020-9488 (CVSS Score: 3.7)
o CVE-2022-23302 (no base score yet provided)
• https://thehackernews.com/2021/12/new-local-attack-vector-expands-attack.html
• https://www.tenable.com/cve/CVE-2021-44228
• https://www.tenable.com/cve/CVE-2021-45046
• https://www.tenable.com/cve/CVE-2021-45105
• https://www.tenable.com/cve/CVE-2021-4104
Component : Process Automation
Log4j vulnerabilities and Remediations
It will be available at following locations in PAM server (1-3) and PAM Agent (4)
S No |
CVE |
Affected log4j Version |
Need Action in PAM |
Solution/Remarks
|
1 |
CVE-2019-17571 |
1.2 |
Yes |
1. This is for SocketServer.class from org/apache/log4j/net package of log4j-1.2.15.jar and follow these instructions to delete from the affected jars as PAM is not using them
Log4j jar locations · <PAMServer>\server\c2o\.c2orepository\.c2ocommonresources\lib\log4j\jars · <PAMServer>\server\c2o\.c2orepository\.c2oagentresources\lib · <PAMAgentLocation>\PAMAgent\.c2orepository\.c2oagentresources\lib · <PAMAgentLocation>\PAMAgent\temp\.c2oagentresources\lib · <PAMAgentLocation>\PAMAgent\.c2orepository\.c2ocommonresources\lib\log4j\jars Command to delete the class from jar zip -q -d log4j-1.2.15.jar org/apache/log4j/net/SocketServer.class
Use the above command to delete the mentioned classes from the jar and this step should be done for the jar at all the locations 2. SocketServer.class should be deleted from Safe-12.6.1.0.jar Safe-12.6.1.0 .jar Locations · <PAMServer>\server\c2o\.c2orepository\.c2oserverresources\lib · <PAMServer>\server\c2o\ext-lib · <PAMServer>\server\c2o\.install4j\user Command to delete the class from jar zip -q -d Safe-12.6.1.0.jar com/ca/eiam/log4j/net/SocketServer.class
Use the above command to delete the mentioned classes from the jar and this step should be done for the jar at all the locations
3. Also delete from c2otransport-snapshot.jar with winzip/7zip as below
C2o-transport-snapshot.jar locations · <PAMServer>\server\c2o\.c2orepository\.c2oserverresources\lib · <PAMServer>\server\c2o\.c2orepository\.c2oagentresources\lib\c2o\jars · <PAMServer>\CA\PAM435ISOCP06\server\c2o\ext-deploy · <PAMAgentLocation>\PAMAgent\.c2orepository\.c2oagentresources\lib\c2o\jars Steps to delete the class from jar Open c2otransport-snapshot.jar with Zip utility(7-Zip or Winzip) and delete SocketServer.class from \c2otransport-snapshot.jar\log4j-1.2.15.jar\org\apache\log4j\net
Perform the above step to delete the mentioned classes from the jar and this step should be done for the jar at all the locations
|
2 |
CVE-2020-9488 |
|
|
1. This is for SMTPAppender.class from org/apache/log4j/net package of log4j-1.2.15.jar and follow these instructions to delete from the affected jars as PAM is not using them
Log4j jar locations · <PAMServer>\server\c2o\.c2orepository\.c2ocommonresources\lib\log4j\jars · <PAMServer>\server\c2o\.c2orepository\.c2oagentresources\lib · <PAMAgentLocation>\PAMAgent\.c2orepository\.c2oagentresources\lib · <PAMAgentLocation>\PAMAgent\temp\.c2oagentresources\lib · <PAMAgentLocation>\PAMAgent\.c2orepository\.c2ocommonresources\lib\log4j\jars Command to delete the class from jar zip -q -d log4j-1.2.15.jar org/apache/log4j/net/SMTPAppender$1.class zip -q -d log4j-1.2.15.jar org/apache/log4j/net/SMTPAppender.class
Use the above commands to delete the mentioned classes from the jar and this step should be done for the jar at all the locations
2. SMTPAppender.class does not exist in safe jar. No action required
3. Also delete from c2otransport-snapshot.jar with 7zip as below
C2otransport-snapshot.jar locations · <PAMServer>\server\c2o\.c2orepository\.c2oserverresources\lib · <PAMServer>\server\c2o\.c2orepository\.c2oagentresources\lib\c2o\jars · <PAMServer>\CA\PAM435ISOCP06\server\c2o\ext-deploy · <PAMAgentLocation>\PAMAgent\.c2orepository\.c2oagentresources\lib\c2o\jars
Open c2otransport-snapshot.jar with Zip utility(7-Zip or Winzip) and delete SMTPAppender.class and SMTPAppender$1.class from \c2otransport-snapshot.jar\log4j-1.2.15.jar\org\apache\log4j\net
Perform the above step to delete the mentioned classes from the jar and this step should be done for the jar at all the locations
|
3 |
CVE-2022-23302 |
1.2 |
Yes |
1. This is for JMSSink.class from net package of log4j-1.2.15.jar and follow these instructions to delete from the affected jars as PAM is not using them
Log4j jar locations · <PAMServer>\server\c2o\.c2orepository\.c2ocommonresources\lib\log4j\jars · <PAMServer>\server\c2o\.c2orepository\.c2oagentresources\lib · <PAMAgentLocation>\PAMAgent\.c2orepository\.c2oagentresources\lib · <PAMAgentLocation>\PAMAgent\temp\.c2oagentresources\lib · <PAMAgentLocation>\PAMAgent\.c2orepository\.c2ocommonresources\lib\log4j\jars Command to delete the class from jar zip -q -d log4j-1.2.15.jar org/apache/log4j/net/JMSSink.class
Use the above command to delete the mentioned classes from the jar and this step should be done for the jar at all the locations
2. JMSSink.class not existing in safe jar. so no action required on it
3. Also delete from c2otransport-snapshot.jar with 7zip as below
C2otransport-snapshot.jar locations · <PAMServer>\server\c2o\.c2orepository\.c2oserverresources\lib · <PAMServer>\server\c2o\.c2orepository\.c2oagentresources\lib\c2o\jars · <PAMServer>\CA\PAM435ISOCP06\server\c2o\ext-deploy · <PAMAgentLocation>\PAMAgent\.c2orepository\.c2oagentresources\lib\c2o\jars
Open c2otransport-snapshot.jar with Zip utility(7-Zip or Winzip) and delete JMSSink.class from \c2otransport-snapshot.jar\log4j-1.2.15.jar\org\apache\log4j\net
Perform the above step to delete the mentioned classes from the jar and this step should be done for the jar at all the locations
|
4 |
CVE-2022-23305 |
1.x |
Yes |
1. This is for jdbc classes from org.apache.log4j.jdbc package of log4j-1.2.15.jar and follow these instructions to delete from the affected jars as PAM is not using them Log4j jar locations · <PAMServer>\server\c2o\.c2orepository\.c2ocommonresources\lib\log4j\jars · <PAMServer>\server\c2o\.c2orepository\.c2oagentresources\lib · <PAMAgentLocation>\PAMAgent\.c2orepository\.c2oagentresources\lib · <PAMAgentLocation>\PAMAgent\temp\.c2oagentresources\lib · <PAMAgentLocation>\PAMAgent\.c2orepository\.c2ocommonresources\lib\log4j\jars Command to delete the class from jar zip -q -d log4j-1.2.15.jar org/apache/log4j/jdbc*
Use the above command to delete the mentioned classes from the jar and this step should be done for the jar at all the locations
2. This is for jdbc classes from com.ca.eiam.log4j.jdbc package of Safe-12.6.1.0.jar and follow these instructions to delete from the affected jars as PAM is not using them Safe-12.6.1.0 .jar Locations · <PAMServer>\server\c2o\.c2orepository\.c2oserverresources\lib · <PAMServer>\server\c2o\ext-lib · <PAMServer>\server\c2o\.install4j\user Command to delete the class from jar zip -q -d Safe-12.6.1.0.jar com/ca/eiam/log4j/jdbc*
Use the above command to delete the mentioned classes from the jar and this step should be done for the jar at all the locations 3. Also delete from c2otransport-snapshot.jar with 7zip as below
c2otransport-snapshot.jar locations · <PAMServer>\server\c2o\.c2orepository\.c2oserverresources\lib · <PAMServer>\server\c2o\.c2orepository\.c2oagentresources\lib\c2o\jars · <PAMServer>\CA\PAM435ISOCP06\server\c2o\ext-deploy · <PAMAgentLocation>\PAMAgent\.c2orepository\.c2oagentresources\lib\c2o\jars
Open c2otransport-snapshot.jar with Zip utility(7-Zip or Winzip) and delete jdbc folder from \c2otransport-snapshot.jar\log4j-1.2.15.jar\org\apache\log4j\
Perform the above step to delete the mentioned classes from the jar and this step should be done for the jar at all the locations
|
5 |
CVE-2022-23307 |
1.2x |
Yes |
1. This is for chainsaw classes from org.apache.log4j.chainsaw package of log4j-1.2.15.jar and follow these instructions to delete from the affected jars as PAM is not using them Log4j jar locations · <PAMServer>\server\c2o\.c2orepository\.c2ocommonresources\lib\log4j\jars · <PAMServer>\server\c2o\.c2orepository\.c2oagentresources\lib · <PAMAgentLocation>\PAMAgent\.c2orepository\.c2oagentresources\lib · <PAMAgentLocation>\PAMAgent\temp\.c2oagentresources\lib · <PAMAgentLocation>\PAMAgent\.c2orepository\.c2ocommonresources\lib\log4j\jars Command to delete the class from jar zip -q -d log4j-1.2.15.jar org/apache/log4j/chainsaw*
Use the above command to delete the mentioned classes from the jar and this step should be done for the jar at all the locations
2. This is for chainsaw classes from com.ca.eiam.log4j.chainsaw package of Safe-12.6.1.0.jar and follow these instructions to delete from the affected jars as PAM is not using them Safe-12.6.1.0 .jar Locations · <PAMServer>\server\c2o\.c2orepository\.c2oserverresources\lib · <PAMServer>\server\c2o\ext-lib · <PAMServer>\server\c2o\.install4j\user Command to delete the class from jar zip -q -d Safe-12.6.1.0.jar com/ca/eiam/log4j/chainsaw*
Use the above command to delete the mentioned classes from the jar and this step should be done for the jar at all the locations
3. Also delete from c2otransport-snapshot.jar with 7zip as below
c2otransport-snapshot.jar locations · <PAMServer>\server\c2o\.c2orepository\.c2oserverresources\lib · <PAMServer>\server\c2o\.c2orepository\.c2oagentresources\lib\c2o\jars · <PAMServer>\CA\PAM435ISOCP06\server\c2o\ext-deploy · <PAMAgentLocation>\PAMAgent\.c2orepository\.c2oagentresources\lib\c2o\jars
Open c2otransport-snapshot.jar with Zip utility(7-Zip or Winzip) and delete chainsaw folder from \c2otransport-snapshot.jar\log4j-1.2.15.jar\org\apache\log4j\
Perform the above step to delete the mentioned classes from the jar and this step should be done for the jar at all the locations
|
6 |
CVE-2021-44832 |
2.x |
No |
This is about jdbc classes and it is already taken care in 4th CVE in the table
|
7 |
CVE-2021-44228 |
2.x |
No |
|
8 |
CVE-2021-45046 |
2.x |
No |
|
9 |
CVE-2021-45105 |
2.x |
No |
|
10 |
CVE-2021-4104 |
1.2 |
Yes |
1. This is for JMSAppender.class from org.apache.log4j.net package of log4j-1.2.15.jar and follow these instructions to delete from the affected jars as PAM is not using them
Log4j jar locations · <PAMServer>\server\c2o\.c2orepository\.c2ocommonresources\lib\log4j\jars · <PAMServer>\server\c2o\.c2orepository\.c2oagentresources\lib · <PAMAgentLocation>\PAMAgent\.c2orepository\.c2oagentresources\lib · <PAMAgentLocation>\PAMAgent\temp\.c2oagentresources\lib · <PAMAgentLocation>\PAMAgent\.c2orepository\.c2ocommonresources\lib\log4j\jars Command to delete the class from jar zip -q -d log4j-1.2.15.jar org/apache/log4j/net/JMSAppender.class
Use the above command to delete the mentioned classes from the jar and this step should be done for the jar at all the locations
2. JMSAppender.class not existing in safe jar. so no action required on it
3. Also delete from c2otransport-snapshot.jar with 7zip as below C2otransport-snapshot.jar locations · <PAMServer>\server\c2o\.c2orepository\.c2oserverresources\lib · <PAMServer>\server\c2o\.c2orepository\.c2oagentresources\lib\c2o\jars · <PAMServer>\CA\PAM435ISOCP06\server\c2o\ext-deploy · <PAMAgentLocation>\PAMAgent\.c2orepository\.c2oagentresources\lib\c2o\jars
Open c2otransport-snapshot.jar with Zip utility(7-Zip or Winzip) and delete JMSAppender.class from \c2otransport-snapshot.jar\log4j-1.2.15.jar\org\apache\log4j\net
Perform the above step to delete the mentioned classes from the jar and this step should be done for the jar at all the locations
|
11 |
https://thehackernews.com/2021/12/new-local-attack-vector-expands-attack.html CVE-2021-45105 |
2.x |
No |
|
12 |
https://www.tenable.com/cve/CVE-2021-44228 |
2.x |
No |
|
13 |
2.x |
No |
|
|
14 |
2.x |
No |
|
|
15 |
1.2 |
Yes |
This is about JMSAppender class and it is already taken care in 10th CVE in the table |
To simplify and consolidate the recommended remediations, follow these instructions:
*** On Windows you will need 7-Zip
Before you begin, make sure to shut down all ITPAM processes.
1. Locate all copies of the "log4j-1.2.15.jar" file with this command:
On Windows it looks like this:
dir /b/s C:\Temp\log4j-1.2.15.jar
On Linux it looks like this:
find / -name log4j-1.2.15.jar 2>/dev/null
For example (Windows):
C:\Users\Administrator>dir /b/s \log4j-1.2.15.jar
C:\Program Files\CA\PAM\server\c2o\.c2orepository\.c2oagentresources\lib\log4j-1.2.15.jar
C:\Program Files\CA\PAM\server\c2o\.c2orepository\.c2ocommonresources\lib\log4j\jars\log4j-1.2.15.jar
C:\Program Files\CA\PAM\server\c2o\.install4j\user\log4j-1.2.15.jar
For example (Linux):
[root@olnx79-orcl122 ~]# find / -name log4j-1.2.15.jar 2>/dev/null
/opt/CA/PAM/server/c2o/.c2orepository/.c2oagentresources/lib/log4j-1.2.15.jar
/opt/CA/PAM/server/c2o/.c2orepository/.c2ocommonresources/lib/log4j/jars/log4j-1.2.15.jar
/opt/CA/PAM/server/c2o/.install4j/user/log4j-1.2.15.jar
2. For each of the copies of log4j-1.2.15.jar found on the computer, perform these steps:
a. Change Directory to the folder containing the jar file.
For example (Windows):
cd C:\Program Files\CA\PAM\server\c2o\.c2orepository\.c2oagentresources\lib
For example (Linux):
[root@olnx79-orcl122 ~]# cd /opt/CA/PAM/server/c2o/.c2orepository/.c2oagentresources/lib
b. Make a backup copy of the jar file.
For example (Windows):
copy log4j-1.2.15.jar log4j-1.2.15.jar_backup
For example (Linux):
[root@olnx79-orcl122 lib]# cp log4j-1.2.15.jar log4j-1.2.15.jar_backup
c. Use zip utility on Linux, or winzip or 7-zip on Windows to delete the problematic classes from the jar file
For Linux it would look like this:
zip -q -d log4j-1.2.15.jar org/apache/log4j/net/SocketServer.class
zip -q -d log4j-1.2.15.jar org/apache/log4j/net/SMTPAppender\$1.class
zip -q -d log4j-1.2.15.jar org/apache/log4j/net/SMTPAppender.class
zip -q -d log4j-1.2.15.jar org/apache/log4j/net/JMSSink.class
zip -q -d log4j-1.2.15.jar org/apache/log4j/jdbc*
zip -q -d log4j-1.2.15.jar org/apache/log4j/chainsaw*
zip -q -d log4j-1.2.15.jar org/apache/log4j/net/JMSAppender.class
For 7-Zip it would look like this:
7z d log4j-1.2.15.jar org/apache/log4j/net/SocketServer.class
7z d log4j-1.2.15.jar org/apache/log4j/net/SMTPAppender$1.class
7z d log4j-1.2.15.jar org/apache/log4j/net/SMTPAppender.class
7z d log4j-1.2.15.jar org/apache/log4j/net/JMSSink.class
7z d log4j-1.2.15.jar org/apache/log4j/jdbc*
7z d log4j-1.2.15.jar org/apache/log4j/chainsaw*
7z d log4j-1.2.15.jar org/apache/log4j/net/JMSAppender.class
Repeat these same steps for each log4j-1.2.15.jar file found on the computer.
3. Locate all copies of the "safe-12.6.1.0.jar" file with this command:
On Windows it looks like this:
dir /b/s \safe-12.6.1.0.jar
On Linux it looks like this:
find / -name Safe-12.6.1.0.jar 2>/dev/null
For example (Windows):
C:\Users\Administrator>dir /b/s \safe-12.6.1.0.jar
C:\Program Files\CA\PAM\server\c2o\.c2orepository\.c2oserverresources\lib\Safe-12.6.1.0.jar
C:\Program Files\CA\PAM\server\c2o\.install4j\user\Safe-12.6.1.0.jar
C:\Program Files\CA\PAM\server\c2o\ext-lib\Safe-12.6.1.0.jar
For example (Linux):
[root@olnx79-orcl122 lib]# find / -name Safe-12.6.1.0.jar 2>/dev/null
/opt/CA/PAM/server/c2o/.c2orepository/.c2oserverresources/lib/Safe-12.6.1.0.jar
/opt/CA/PAM/server/c2o/.install4j/user/Safe-12.6.1.0.jar
/opt/CA/PAM/server/c2o/ext-lib/Safe-12.6.1.0.jar
4. For each of the copies of safe-12.6.1.0.jar found on the computer, perform these steps:
a. Change Directory to the folder containing the jar file.
On Windows it looks like this:
cd C:\Program Files\CA\PAM\server\c2o\.c2orepository\.c2oserverresources\lib
On Linux it looks like this:
[root@olnx79-orcl122 lib]# cd /opt/CA/PAM/server/c2o/.c2orepository/.c2oserverresources/lib
b. Make a backup copy of the jar file.
On Windows it looks like this:
copy Safe-12.6.1.0.jar Safe-12.6.1.0.jar_backup
On Linux it looks like this:
[root@olnx79-orcl122 lib]# cp Safe-12.6.1.0.jar Safe-12.6.1.0.jar_backup
c. Use zip utility on Linux, or winzip or 7-zip on Windows to delete the problematic classes from the jar file
For Linux it would look like this:
zip -q -d Safe-12.6.1.0.jar com/ca/eiam/log4j/net/SocketServer.class
zip -q -d Safe-12.6.1.0.jar com/ca/eiam/log4j/jdbc*
zip -q -d Safe-12.6.1.0.jar com/ca/eiam/log4j/chainsaw*
For 7-Zip it would look like this:
7z d Safe-12.6.1.0.jar com/ca/eiam/log4j/net/SocketServer.class
7z d Safe-12.6.1.0.jar com/ca/eiam/log4j/jdbc*
7z d Safe-12.6.1.0.jar com/ca/eiam/log4j/chainsaw*
5. Locate all copies of the "c2otransport-snapshot.jar" file with this command:
On Windows it looks like this:
dir /b/s \c2otransport-snapshot.jar
On Linux it looks like this:
find / -name c2otransport-snapshot.jar 2>/dev/null
For example (Windows):
C:\Users\Administrator>dir /b/s \c2otransport-snapshot.jar
C:\Program Files\CA\PAM\server\c2o\.c2orepository\.c2oagentresources\lib\c2o\jars\c2otransport-snapshot.jar
C:\Program Files\CA\PAM\server\c2o\.c2orepository\.c2oserverresources\lib\c2otransport-snapshot.jar
C:\Program Files\CA\PAM\server\c2o\.install4j\user\c2otransport-snapshot.jar
C:\Program Files\CA\PAM\server\c2o\ext-deploy\c2otransport-snapshot.jar
For example (Linux):
[root@olnx79-orcl122 lib]# find / -name c2otransport-snapshot.jar 2>/dev/null
/opt/CA/PAM/server/c2o/.c2orepository/.c2oagentresources/lib/c2o/jars/c2otransport-snapshot.jar
/opt/CA/PAM/server/c2o/.c2orepository/.c2oserverresources/lib/c2otransport-snapshot.jar
/opt/CA/PAM/server/c2o/.install4j/user/c2otransport-snapshot.jar
/opt/CA/PAM/server/c2o/ext-deploy/c2otransport-snapshot.jar
6. For each of the copies of c2otransport-snapshot.jar found on the computer, perform these steps:
a. Change Directory to the folder containing the jar file. For example:
On Windows it looks like this:
cd C:\Program Files\CA\PAM\server\c2o\.c2orepository\.c2oagentresources\lib\c2o\jars
On Linux it looks like this:
[root@olnx79-orcl122 lib]# cd /opt/CA/PAM/server/c2o/.c2orepository/.c2oagentresources/lib/c2o/jars
b. Make a backup copy of the jar file. For example:
On Windows it looks like this:
copy c2otransport-snapshot.jar c2otransport-snapshot.jar_backup
On Linux it looks like this:
[root@olnx79-orcl122 jars]# cp c2otransport-snapshot.jar c2otransport-snapshot.jar_backup
c. Check to see if a copy of log4j-1.2.15.jar already exists in the same folder. For example:
On Windows it looks like this:
dir log4j-1.2.15.jar
On Linux it looks like this:
[root@olnx79-orcl122 jars]# ls log4j-1.2.15.jar
ls: cannot access log4j-1.2.15.jar: No such file or directory
(in this case no jar file was found)
d. If a copy of the log4j-1.2.15.jar does not exist, copy one of the already existing log4j-1.2.15.jar files into this folder. For example:
On Windows it looks like this:
copy "C:\Program Files\CA\PAM\server\c2o\.c2orepository\.c2oagentresources\lib\log4j-1.2.15.jar"
On Linux it looks like this:
cp /opt/CA/PAM/server/c2o/.c2orepository/.c2oagentresources/lib/log4j-1.2.15.jar .
e. Update the copy of log4j-1.2.15.jar packaged inside of c2otransport-snapshot.jar
For Linux it would look like this:
zip -r c2otransport-snapshot.jar log4j-1.2.15.jar
For 7-Zip it would look like this:
7z u c2otransport-snapshot.jar log4j-1.2.15.jar
f. If you copied a log4j-1.2.15.jar file into this folder in step 6d, you will now need to delete it. If the file was already there in the folder, do NOT delete it.
On Windows it looks like this:
del log4j-1.2.15.jar
On Linux it looks like this:
rm -f log4j-1.2.15.jar
Log4j issues are addressed in ITPAM 4.3.05 CP06
Please upgrade to CP06 and later if you can