This document evaluates whether Clarity is affected by the vulnerability identified as CVE-2026-34477.

The objective is to assess potential exposure, determine if existing configurations or components within Clarity are susceptible, and outline any associated risks to system functionality, data integrity, or security. The analysis includes a review of the vulnerability details, impacted versions or dependencies, and the current Clarity environment to establish whether mitigation or remediation actions are required.

Clarity 16.4.1

The particular vulnerability CVE-2026-34477 is not applicable to Clarity and below are the details 

1. Log4j Version in Use: 2.17.2
   • Location: \\clarity_home\lib\log4j-core.jar
   • Classification: Below vulnerable range (2.12.0-2.25.3)
2. Affected Appenders Not Detected
   • No SMTP appenders with <SslConfiguration> elements found
   • No Socket appenders with nested <SslConfiguration> elements found
   • No Syslog appenders with nested <SslConfiguration> elements found
3. Logging Configuration Analysis:
   • Uses basic ConsoleAppender and FileAppender (no TLS)
   • No Log4j2 XML configuration files found that contain TLS/SSL configurations
4. Mail Service Configuration
   • Mail service configurations support TLS via preferStartTls flag
   • This is for email protocol handling, NOT Log4j appender configuration
   • Uses standard Java mail API, not Log4j appenders

The Broadcom Clarity team conducts a comprehensive review of all third-party libraries as part of each release cycle and makes every efforts to maintain such components at current and supported versions, consistent with applicable security, compatibility, and stability requirements.