A vulnerability scan may flag the Clarity XOG client due to the included version of Log4j Core (e.g., version 2.20.0). The vulnerability identified is CVE-2025-68161, which relates to Apache Log4j Core versions 2.0-beta9 through 2.25.2 failing to perform TLS hostname verification in the Socket Appender. This could potentially allow a Man-in-the-Middle (MITM) attack to intercept or redirect log traffic.

Clarity 16.4.1 XOG (XML Open Gateway) Client

CVE-2025-68161 specifically impacts the Log4j Socket Appender when using TLS for remote logging. The software ignores the verifyHostName setting, failing to verify the peer certificate's hostname.

The Clarity XOG client is not affected by CVE-2025-68161 in its default configuration.

1. Logging Mechanism: The XOG client's default logging implementation (DMLogger) uses a FileAppender only. It does not use a Socket or TLS appender for remote log forwarding.
2. Vulnerability Scope: This CVE does not impact standard HTTPS sessions between the XOG client and Clarity; it is restricted to Log4j's network/socket logging traffic.
3. Risk Assessment: Because the vulnerable code path (Socket Appender with TLS) is not utilized by the default XOG client, the MITM scenario described in the advisory does not apply.
4. Action: No remediation or upgrade is required for the default XOG client. Exposure would only occur if a customer manually customized the log4j2.xml to include a TLS Socket Appender for remote log redirection.