Third-party software (Apache Solr) on Carbon Black (CB) EDR is using Log4j version 2.17.2.

During a Vulnerability Assessment (VA) scan, it is flagged as vulnerable to below CVEs and you want to know the impact:

1.  CVE-2025-68161
2.  CVE-2026-34477 (Log4j TLS Host Mismatch)
3.  CVE-2026-34478 (Log4j Log Injection)
4.  CVE-2026-34488 (DLL Hijacking)
5.  CVE-2026-34480 (Log4j Silent Log Event Loss in XmlLayout)
6.  CVE-2026-34481
7.  CVE-2026-34479

1. CVE-2025-68161 

• Status: Not Vulnerable
• Analysis: The vulnerable component (Socket Appender in log4j) is not used by CB EDR. So, it is not applicable to the product.
• Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-68161

2. CVE-2026-34477 (Log4j TLS Host Mismatch)

• Status: Not Vulnerable
• Analysis: This vulnerability requires the use of SMTP, Socket, or Syslog appenders. Our Log4j configuration (log4j2.xml.template) exclusively uses RollingRandomAccessFile appenders. The vulnerable code paths cannot be triggered.
• Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-34477

3. CVE-2026-34478 (Log4j Log Injection)

• Status: Not Vulnerable
• Analysis: This affects the Rfc5424Layout component. Our configuration relies entirely on standard PatternLayout for formatting log messages. The vulnerable layout is not used anywhere in our application.
• Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-34478

4. CVE-2026-34488 (DLL Hijacking)

• Status: False Positive / Unrelated
• Analysis: The scanner incorrectly grouped this with Log4j. According to the NVD, this CVE is for a Windows DLL hijacking issue in a third-party application called "IP Setting Software". It has absolutely nothing to do with Apache Log4j, Java, or our codebase. It is likely there is a separate software installed on the scanned host.
• Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-34488

5. CVE-2026-34480 (Log4j Silent Log Event Loss in XmlLayout)

• Status: Not Vulnerable / False Positive
• Analysis: This vulnerability affects Apache Log4j Core versions prior to 2.25.4. It occurs when log messages contain forbidden XML 1.0 characters, causing the XmlLayout component to produce malformed XML or throw exceptions, leading to lost log events. Our Log4j configurations (e.g., log4j2.xml.template) rely exclusively on PatternLayout. Because the vulnerable component is not utilized, the application cannot be exploited by this vulnerability.
• Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-34480

6. CVE-2026-34481

• Status: Not Vulnerable
• Analysis: We do not use JsonTemplateLayout anywhere in our Log4j configurations
• Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-34481 

7. CVE-2026-34479     

• Status: Not Vulnerable
• Analysis: We do not use Log4j1XmlLayout or the legacy org.apache.log4j.xml.XMLLayout compatibility layer
• Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-34479