There are known vulnerabilities in the Log4j version used by some SiteMinder components that are fixed in Log4j v2.25.4

Apache Log4j 2.21.0 < 2.25.4 Rfc5424Layout Log Injection (CVE-2026-34478)
Apache Log4j 2.0-alpha1 < 2.25.4 XmlLayout Invalid XML Output (CVE-2026-34480)
Apache Log4j 2.12.0 < 2.25.4 SSL Hostname Verification Bypass (CVE-2026-34477)

- Component: SiteMinder Policy Server, AdminUI and CA Access Gateway

- Version and Operating System: Any OS or Version

The Log4j CVEs, CVE-2026-34478, CVE-2026-34480, and CVE-2026-34477 do not affect SiteMinder components.

These vulnerabilities exploit if Log4j has socket configuration enabled, but SiteMinder components do not enable sending logs over TLS through the socket by default, nor do they use Syslog appenders that allow a network-based attacker to intercept or modify log data.

SiteMinder components do not enable sending logs over TLS through the socket by default. Therefore, these vulnerabilities do not impact the SiteMinder components.