CVE-2025-68161 Apache Log4j Core is missing TLS hostname verification in Socket appender in CCA Configuration Automation
search cancel

CVE-2025-68161 Apache Log4j Core is missing TLS hostname verification in Socket appender in CCA Configuration Automation

book

Article ID: 428679

calendar_today

Updated On:

Products

CA Configuration Automation

Issue/Introduction

In a vulnerability scan, Configuration Automation 12.9 is shown to be vulnerable to the following vulnerability:

CVE-2025-68161: Apache Log4j Core: Missing TLS hostname verification in Socket appender

The reported vulnerable file is located at:

CA\CCA Grid Node\lib\log4j-core-2.17.1.jar

The suggested solution is to upgrade to Apache Log4j Core version 2.25.3.

Is Configuration Automation Affected by this vulnerability?

How can we fix this vulnerability?

Environment

CCA: r12.9.0.126

Cause

Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate. 

See the link to the vulnerability for further details. 

Resolution

Yes, Configuration Automation is affected by the reported vulnerability.

We have a code fix to upgrade to Apache Log4j Core version 2.25.3

To remediate this vulnerability, please open a case with Broadcom Support to request the code fix. 

Powered by Wolken Software