Is Applications Manager vulnerable to CVE-2025-68161?

Applications Manager 9.6 and above.

Even though Applications Manager ships the vulnerable version of log4j library, the product is not exploitable as we don't allow any configuration for log4j.

Without being able to configure log4j, usage of Socket Appender is not possible, let alone use Socket Appender with TLS.

This is a Medium-severity security flaw in Apache Log4j Core affecting the Socket Appender. The component fails to perform TLS hostname verification on the peer’s certificate, even if hostname verification is explicitly enabled via configuration.

Necessary conditions for exploitation:

• The Log4j Socket Appender must be configured to send logs over a TLS (SSL) connection to a remote logging server. If logging is only local or uses a different non-TLS transport, this specific flaw cannot be triggered. Applications Manager uses local logging.
  
  
• Man-in-the-Middle (MitM) Control of Traffic: The attacker must be able to intercept or redirect network traffic between the logging client and the log receiver—for example, via ARP spoofing, malicious Wi-Fi, proxy control, or network compromise. Without this network position, the flaw cannot be triggered.
  
  
• Attacker-Supplied Certificate Trusted by the Client: The attacker needs to present a TLS server certificate signed by a Certification Authority (CA) that the client trusts—either from the default Java trust store or a custom trust store configured for the appender. Because Log4j fails to verify that the certificate’s hostname matches the intended server, the client will accept it and establish the TLS connection. Applications Manager supplied log4j does not allow for any configuration.