CVE-2025-68161 describes an issue in Apache Log4j Core versions 2.0-beta9 through 2.25.2 where the Socket Appender does not perform TLS hostname verification even when verifyHostName or log4j2.sslVerifyHostName is enabled. This could allow a man-in-the-middle attack under certain network and certificate trust conditions.

AutoSys Workload Automation / WCC (WebUI)

Workload Automation Agents

Embedded Entitlements Manager

AutoSys Engineering has completed a comprehensive review regarding the Log4j2 SocketAppender vulnerability. We have confirmed that the vulnerability is strictly confined to the Log4j2 SocketAppender functionality.

Findings:
It has been determined that AutoSys and its associated Agents are not affected by this vulnerability based on the following:

• API Usage: Neither the AutoSys core nor its Agents utilize the Log4j SocketAppender API within the source code.
• Programmatic Configuration: There is no programmatic implementation of the SocketAppender configuration within the environment.
• Runtime Configuration: Autosys or Agents have no Log4j configuration that references the log4j SocketAppender functionality at runtime.

Scope of Verified Components:
The following components are confirmed to be secure in their default state:

• AutoSys Workload Automation: Scheduler, Application Server, Client, WebUI (WCC), AEWS, SOAP Web Server, and Common Services (CSAM, CCI, etc.)
• Workload Automation System Agents and all associated Plugins.
• Security: Embedded Entitlements Manager (EEM).