We need to delete these below files on our OC server due to a security vulnerability detected.

apache log4j 2.7.0.0 (["c:\\program files (x86)\\nimsoft\\probes\\service\\wasp\\webapps\\rest\\web-inf\\lib\\log4j-core-2.7.jar","c:\\program files (x86)\\nimsoft\\probes\\service\\wasp\\webapps\\uimapi.war","c:\\program files (x86)\\nimsoft\\probes\\service\\wasp\\webapps\\uimapi\\web-inf\\lib\\log4j-core-2.7.jar","c:\\program files (x86)\\nimsoft\\probes\\service\\wasp\\webapps\\webservices_rest.war"])

Request you to please confirm if these can be deleted without having any impact on the tool?

• Release: 20.3.3

• The vulnerability in question, CVE-2021-44832, is classified as "Medium" and for UIM is considered LOW risk.  As of 20.46, we have updated to log4j 2.17.1 as part of the regularly planned and scheduled probe updates.  No hotfixes will be released for this vulnerability per Broadcom policy, but you should update to the latest available probe versions as they are released.
  
  
• The best approach to take at this time would be to upgrade to UIM 20.4 CU5  to take full advantage of all the DX UIM security updates. 

• From 20.3.3, you must first upgrade to 20.4, then to 20.4 CU5.

• The best option for upgrading is to take advantage of our weekend upgrade program. To register for the next available weekend upgrade, please click this url: https://enterprise-software.broadcom.com/weekend-upgrade-program

• As per Broadcom Development/Engineering, the log4j-core-2.7.1 jar files should not be deleted as this will cause logging and other failures. Deleting files will cause issues in the DX UIM application and the process is not certified.