DB2 LUW 11.5 log4j CVE-2021-44228

Hi,

SAP mentioned in note 3130882 - IBM Db2 log4j vulnerability log4j vulnerability CVE-2021-44228 in components for federation. And IBM in sec bulletin Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-44228) .

This probably is not using by standard SAP installation, but how can I check it?

Can I uninstall same not needed features and how?

Installed features I checked by this command db2ls -q -a -b $DB2DIR.
And in db2 software directory I found log4j-core-2.13.3.jar files.

cd $DB2DIR && find -iname "*log4j*"
./federation/restservice/hyperledger-fabric/log4j-1.2-api-2.13.3.jar
./federation/restservice/hyperledger-fabric/log4j-api-2.13.3.jar
./federation/restservice/hyperledger-fabric/log4j-core-2.13.3.jar
./federation/restservice/hyperledger-fabric/log4j-jcl-2.13.3.jar
./federation/restservice/hadoop/log4j-1.2-api-2.13.3.jar
./federation/jdbc/lib/log4j-core-2.13.3.jar<br>./federation/jdbc/lib/log4j-api-2.13.3.jar