So let's review what was previously said
1) The Log4J Advisory summary :
Broadcom Engineering has determined that core APM 9.7 thru APM 10.7.x servers (Collectors/MOMs/TESS/TIM/WebView) and APM 9.7 thru APM 10.7/11.x/SaaS/20.x/21.x java based agents (i.e. Weblogic, Websphere, Tomcat, EPAgent, UMA,...) are not affected by the above CVEs because APM is using a forked and customized version of Log4j 1.2 which has been optimized and modified from the original Log4j 1.2 and APM does not enable the SocketServer or JMSAppender classes. This forked and customized version of Log4j 1.2 is maintained by Broadcom and does not rely on external support.
2) This raises the question is APMIA a Java-based agent. Given that it is a superset of EPA AND from the opening lines in the doc, it clearly is a Java Agent.
Infrastructure Agent is a bundle of extensions and monitors that collects and sends data to the Enterprise Manager for processing. This agent contains scripts and wrappers to run a **standalone JVM process**
3) I found this KB on Data Power and Log4J. https://knowledge.broadcom.com/external/article?articleId=255463
I added 10.8 to the 2x.x mention.
Case#33335110 Infrastructure Agent Good to Close
- The IA agent 10.8 uses a custom Log4J so any findings against it are false/positives. Once we get the DataPower agent moved to IA, we will use the same F/P discussion to do a false-positive request to our vulnerabilities team.