A Nessus security scan flags a critical vulnerability (e.g., CVE-2021-45046) related to older Apache Log4j libraries in an Identity Suite 15.0 environment.

Example Scan Output:
- Path: `/opt/brcm/iga/inst/imps/startup/pwdtools/lib/log4j-core-2.12.0.jar` 
- Installed version: 2.12.0
- Fixed version: 2.12.2 or higher

Identity Suite 15.0

The vulnerability is detected in the "pwdtools" directory located under the IMPS (Identity Management Provisioning Server) installation path. In Identity Suite 15.0 Fix Pack 4 and higher, this specific directory is redundant because the updated and secure version of the password tools is maintained in the IDM directory path.

Starting with Fix Pack 4, the "pwdtools" located under the IDM folder have been upgraded to secure Log4j versions (e.g., 2.25.3 or higher). The version located under the "imps" path is no longer needed and can be safely removed.

Steps to Remediate:

1. Verify Version: Confirm your environment is running Identity Suite 15.0 Fix Pack 4 or higher.
   
   
2. Backup: Create a backup of the directory before deletion:
      bash
      tar -cvf pwdtools_backup.tar /opt/brcm/iga/inst/imps/startup/pwdtools
      
3. Remove Redundant Directory: Delete the legacy `pwdtools` folder to clear the scan finding:
      bash
      rm -rf /opt/brcm/iga/inst/imps/startup/pwdtools
   
   
4. Verify Active Tools: Ensure you are using the updated tools located at:
      "/opt/brcm/iga/inst/idm/startup/pwdtools/lib/"

- Remediation for Apache Log4j Core Vulnerabilities in Identity Manager 14.5.x and 15.0

- Identity Suite 15.0 Release Notes - Fix Pack 6