A number of vulnerabilities have been published for Apache Log4J version 2 impacting Log4j2 2.0-beta9 through to 2.25.3

Siteminder bundles Apache Log4J2 in a number of components, including Siteminder ASA Agents  

Log4J by Siteminder ASA Agent Version:

r12.7:    Log4j 2.10.0
r12.8:    Log4j 2.10.0

Log4j 2.25.3 was delivered in a series of component specific KB's.

PRODUCT: Siteminder

COMPONENT: Policy Server, Access Gateway Server; AdminUI; SDK; Application Server Agent (ASA)

VERSION: 12.8.7; 12.8.8, 12.8.8.1; 12.9

OPERATING SYSTEM: Any

The following CVE has been published for log4J impacting all versions of Log4J 2.25.3 and older.

CVE-2026-34481  "Improper serialization of non-finite floating-point values in JsonTemplateLayout"

IMPACT:  Medium

DESCRIPTION: Apache Log4j’s JsonTemplateLayout, in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (NaN, Infinity, or -Infinity), which are prohibited by RFC 8259. This may cause downstream log processing systems to reject or fail to index affected records.

IMPACTED: Log4J 2.25.3 and older

REMDIATED:  Log4J 2.25.4

CVE-2026-34480  "Silent log event loss in XmlLayout due to unescaped XML 1.0 forbidden characters"

IMPACT:  Medium

DESCRIPTION: Apache Log4j Core’s XmlLayout, in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification producing invalid XML output whenever a log message or MDC value contains such characters.

IMPACTED: Log4J 2.25.3 and older

REMDIATED:  Log4J 2.25.4

CVE-2026-34479  "Silent log event loss in Log4j1XmlLayout due to unescaped XML 1.0 forbidden characters"

IMPACT:  Medium

DESCRIPTION: The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records.

IMPACTED: Log4J 2.25.3 and older

REMDIATED:  Log4J 2.25.4

CVE-2026-34478  "Log injection in Rfc5424Layout due to silent configuration incompatibility"

IMPACT:  Medium

DESCRIPTION: Apache Log4j Core’s Rfc5424Layout, in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes.

IMPACTED: Log4J 2.25.3 and older

REMDIATED:  Log4J 2.25.4

CVE-2026-34477  "verifyHostName attribute silently ignored in TLS configuration"

IMPACT:  Medium

DESCRIPTION: The fix for CVE-2025-68161 was incomplete: it addressed hostname verification only when enabled via the log4j2.sslVerifyHostName system property, but not when configured through the verifyHostName attribute of the <Ssl> element.

IMPACTED: Log4J 2.25.3 and older

REMDIATED:  Log4J 2.25.4

Siteminder bundles a subset of the Log4J binaries and does not use all of its features.  Siteminder components are not susceptible to the CVE's listed above.  It is suggested that you upgrade to Log4K 2.25.3 using the KB's below:

427360 "Vulnerability in Log4j 2.25.2 And Older on Siteminder Application Server Agents (ASA)"

427357 "Vulnerability in Log4j 2.25.2 And Older on Siteminder SDK"

427332 "Vulnerability in Log4j 2.25.2 And Older on Siteminder AdminUI"

427312 "Vulnerability in Log4j 2.25.2 and Older on Siteminder Access Gateway"

427325 "Vulnerability in Log4j 2.25.2 And Older on the Siteminder Policy Server"

427360 "Vulnerability in Log4j 2.25.2 And Older on Siteminder Application Server Agents (ASA)"

427357 "Vulnerability in Log4j 2.25.2 And Older on Siteminder SDK"

427332 "Vulnerability in Log4j 2.25.2 And Older on Siteminder AdminUI"

427312 "Vulnerability in Log4j 2.25.2 and Older on Siteminder Access Gateway"

427325 "Vulnerability in Log4j 2.25.2 And Older on the Siteminder Policy Server"