For APM,  is it possible to remediate log4j security findings without upgrading the product from APM 10.7?

Release :

We will no longer be supporting APM 10.7.x after 12-31-23, so please start planning to upgrade soon. 

Looking at the APM 23.x and 10.8 docs, one can see that log4j is replaced in the EM. Agents running 23.5 and later also have no log4j.

References:

EM

https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/application-performance-management/10-8/ca-apm-release-notes.html
https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/application-performance-management/23-2/dx-apm-23-2-release-notes/23-2-new-features.html

Uses Logback for Logging
Logging now uses the Logback library. The configuration is stored in logback-ws.xml, logback-wv.xml, and config/logback-em.xml. Log4j is not used for logging anymore

Agents 

https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/dx-apm-agents/SaaS/release-notes/23-5.html