Security scan is flagging the following two log4j jars on an APM 10.7 installation with "Apache Log4j 1.2 Remote Code Execution Vulnerability" & "EOL/Obsolete Software: Apache Log4j 1.X Detected":
./APMSqlServer/repo/log4j-1.2.17-1.jar
./product/enterprisemanager/configuration/org.eclipse.osgi/bundles/213/1/.cp/WebContent/WEB-INF/lib/log4j-1.2.9.jar
Does a patch upgrade these versions?
Can they be removed from the system?
Release : 10.7.0
Component :
This is straight from the Advisory:
./APMSqlServer/repo/log4j-1.2.17-1.jar
So you should be able remove apmsql server
./product/enterprisemanager/configuration/org.eclipse.osgi/bundles/213/1/.cp/WebContent/WEB-INF/lib/log4j-1.2.9.jar
I sent your response over to my security team. You can close the request.
I deleted the APMSQL Server jar.