Identity Manager - Vulnerability Scan found log4j-1.2.17.jar file under /iam_im.ear/ca-nim-sm.war.bak folder

IM 14.5 non-vApp upgraded from pre IM 14.5 versions

On a fresh 14.5 installation there is no longer the \iam_im.ear\ca-nim-sm.war folder as there used to be with IM 14.4 so if this was an upgraded system that would explain why the \iam_im.ear\ca-nim-sm.war was renamed to \iam_im.ear\ca-nim-sm.war.bak instead.

The *.bak is no longer in use so you should remove it (you can store a backup outside of JBoss/Wildfly if you wish). 

For reference on that please review the following product doc link:

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-manager/14-5/Release-Notes/release-features-and-enhancement/identity-manager-14-5.html#concept.dita_d3303fde-e786-4fd4-b0b6-e3a28fd60a82_InternalNIM

Removed Normalized Integration Management for Service Management (NIM SM) from Installer

Normalized Integration Management for Service Management (NIM SM) is now removed from the Identity Manager 14.5 installer. We support and distribute NIM SM for an external integration only. Customers with an existing internal NIM SM integration must set up an external integration for the continued support.
For information about how to set up an external NIM SM integration, see Service Desk Management (https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-manager/14-5/configuring/service-desk-management.html)