The log4j-1.2.17.jar file exist in affewbservices application. This file has reached EOL since 2015. Below is the path:
Apache URL: Log4j – Apache Log4j Security Vulnerabilities
Log4j 1.x has reached End of Life in 2015 and is no longer supported. Vulnerabilities reported after August 2015 against Log4j 1.x were not checked and will not be fixed. Users should upgrade to Log4j 2 to obtain security fixes.
What does Broadcom vendor recommend the customers should do ?
SPS: 12.8 SP4
this file can be safely removed from the system without any impact to siteminder or affwebservice.