This is a known issue in the following versions.

• SecurID Governance & Lifecycle 7.5.2 P03

This issue only occurs for customers who originally applied 7.5.2 GA version and patched manually to 7.5.2 P03.   

Customers who installed 7.5.2 P03 directly are not susceptible to this issue. 

Vulnerability scanners may still detect legacy versions of log4j 1.2 files even after applying the 7.5.2 P03 (or later) patch that updates the log4j files to the latest versions.   

/home/oracle/wildfly-24.0.1.Final/domain/servers/img-server-1/tmp/vfs/deployment/deploymentce14e3e2e63ff111/log4j-1.2.17.jar-ac85bf9ec2e9f73b/log4j-1.2.17.jar
/home/oracle/wildfly-24.0.1.Final/domain/servers/img-server-1/tmp/vfs/deployment/deploymentce14e3e2e63ff111/aveksa.war-17e64ca16167e125/VaronisCollector1/lib/log4j-1.2.17.jar
/home/oracle/wildfly-24.0.1.Final/domain/servers/img-server-1/tmp/vfs/deployment/deploymentce14e3e2e63ff111/aveksa.war-17e64ca16167e125/HL7AccountCollector1/lib/log4j-1.2.17.jar
/home/oracle/wildfly-24.0.1.Final/domain/servers/img-server-1/tmp/vfs/deployment/deploymentce14e3e2e63ff111/aveksa.war-17e64ca16167e125/HL7EntitlementCollector1/lib/log4j-1.2.17.jar

Although legacy log4j files are removed from the main aveksa application the patch updater fails to identify that these files need to be removed for legacy collectors. 

This issue only occurs during patching.  The release version of 7.5.2 P03 that is installed as an installer are not affected.

This issue is resolved in the following versions.
 

• SecurID Governance & Lifecycle 7.5.2 P07