Symantec IGA 14.4 is shipped with log4j 1.x libraries.

The following vulnerabilities reported on Apache log4j 1.x:

CVE-2021-44832, CVE-2022-23305, CVE-2022-23307, CVE-2019-17571, CVE-2021-4104, CVE-2020-9488, and CVE-2023-26464

Apart from that Apache Log4j 1.x libraries already reached end of life.

Is IGA affected by these vulnerabilities?

When the libraries shipped with IGA will be upgraded?

Release : 14.4

Component : CA IDENTITY SUITE (VIRTUAL APPLIANCE)

IGA core application or it's dependent tools are not impacted by the vulnerabilities that exist in Apache log4j-1.x version.
It is due to the fact that IGA doesn't use any of the vulnerable classes/tools of log4j-1.x library. 

1. CVE-2021-44832: IGA doesn't use JDBCAppender packaged in log4j, hence there's no possibility of SQL Injection through Remote Code Execution (RCE). 

2. CVE-2022-23305: IGA doesn't use Apache Chainsaw tool packaged in log4j, hence there's no possibility of malicious code execution.

3. CVE-2022-23307: IGA doesn't use Apache Chainsaw tool packaged in log4j, hence there's no possibility of malicious code execution.

4. CVE-2019-17571: IGA doesn't open up SocketServer to listen to external sources, hence there's no possibility of Remote Code  (RCE).

5. CVE-2021-4104: IGA doesn't use JMSAppender, hence there's no possibility of untrusted data de-serialization issue.

6. CVE-2020-9488: IGA doesn't use SMTP Appender

7. CVE-2023-26464: IGA doesn't use SocketAppender

IGA core applications had already upgraded to leverage log4j-2.x latest version as part of IGA's v14.4.1.

IGA will remove log4j-1.x library references/dependency in the standalone tools or in the third party dependencies in it's upcoming release v14.4.3.