Is Service Catalog affected by the CVE-2025-68161 vulnerability?

Service Catalog 17.4 RU5 and previous

Even though Service Catalog ships the vulnerable version of log4j library, please be aware the product is not exploitable as we don't use Socket Appender.

The only appenders Service Catalog uses are Console Appender and RollingFileAppender.

The Engineering team has confirmed that the log4j version for Service Catalog will be updated in the next releases (17.4 RU6 and 17.5) where this vulnerability is not present.

CVE-2025-68161

EEM CVE-2025-6816

Service Management Administration CVE-2025-68161