Impact of Apache Log4j vulnerabilities: CVE-2026-34477, CVE-2026-34480 on Endpoint Protection Manager, and Live Update Administrator
search cancel

Impact of Apache Log4j vulnerabilities: CVE-2026-34477, CVE-2026-34480 on Endpoint Protection Manager, and Live Update Administrator

book

Article ID: 438139

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Is Symantec Endpoint Protection Manager (SEPM) or Live Update Administrator (LUA) affected by following Apache Log4J vulnerabilities:

  • CVE-2026-34477
  • CVE-2026-34480

Environment

Symantec Endpoint Protection Manager (SEPM) 14.3 RU9
Symantec Endpoint Protection Manager (SEPM) 14.4
Live Update Administrator 2.3.14

Resolution

14.3 RU9:

  • CVE-2026-34477 and CVE-2026-34480: No impact because SEPM does not use Apache Log4j.


14.4: 

  • CVE-2026-34477 and CVE-2026-34480: No impact because SEPM does not configure or invoke the vulnerable components.

    NOTE: Please note that for 14.4 the Log4j 2.20.0 jars found in the tomcat\webapps directory are included as a transitive dependency by a third-party application bundled within SEPM. As a result, security scanners may still flag SEPM 14.4 for these CVEs. 

    We are updating webswing in the upcoming SEPM version 14.5, tentatively targeted for Q4 2026

LUA 2.3.14: 
  • CVE-2026-34477: No impact, because LUA does not work with any comm server for log4j generated log forwarding. 
  • CVE-2026-34480: No impact, because XMLLayout component is not used.

Additional Information

CRE-23828

Powered by Wolken Software