The following vulnerability is reported in an ITCM 14.6 GA environment:

<ITCM Install Location>\CA\DSM\Web Console\webapps\wac.war

Installed version: 2.12.1 
Fixed version: 2.25.3

The version of Apache Log4j on the remote host is 2.0-beta9 through 2.25.2. The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate.  This issue may allow a man-in-the-middle attacker to intercept or redirect log traffic.

The version of Apache Log4j on the remote host is 2.0 < 2.3.2, 2.4 < 2.12.4, or 2.13 < 2.17.1. It is, therefore, affected by a remote code execution vulnerability. Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

CA IT Client Automation 14.6 GA

There is a fix available to remediate this vulnerability

Please contact Broadcom Support and request patch T55V446

Patch T55V446 will be included in the 14.6 CUM1 cumulative patch

As for April 2026, 14.6 CUM1 is tentatively scheduled to be available sometime in May 2026 (subject to change)