We have upgraded all PM instances to 21.2.12

Although Broadcom states that Log4J 1.x isn't vulnerable in the 21.2.12 release we still see it in these directories and files.

/opt/CA/IMDataAggregator/backup/apache-activemq/lib/optional/log4j-1.2.17.jar
/opt/CA/IMDataCollector/backup/apache-activemq/lib/optional/log4j-1.2.17.jar

This causes vulnerability issues based on our Qualys scanning.

DX NetOps Performance Management Data Aggregator still references log4j files in (default path) /opt/IMDataAggregator/backup directories.

DX NetOps Performance Management Data Collector still references log4j files in (default path) /opt/IMDataCollector/backup directories.

All supported DX NetOps Performance Management releases.

The backup directory referenced contains files:

• Backed up during upgrades for re-use post upgrade.
• Files necessary for recovery scenarios during failed upgrades.
• Files sometimes useful in resolving problems that arise post upgrade.

The files in the backup directory referenced are not needed nor are they used in any way for normal product operation. They can normally be deleted without impacting product operation or function.

Is the answer to these questions yes? If so the backup directory and it's contents can safely be deleted.

• Was the most recent upgrade to the current version successful?
• Does the tool function properly post upgrade?

• Can we delete the backup directory itself?
  • Yes. It is safe to delete the backup directory itself along with everything it contains.
  • It is also acceptable to leave the backup directory in place while ensuring it is empty by removing everything contain inside the backup directory.
  • Both options are acceptable.