Vulnerability scanners may report that CA Automic Applications Manager (AM) is vulnerable to CVE-2026-34477 due to the presence of Apache Log4j libraries versions 2.12.0 through 2.25.3.

CVE-2026-34477 Summary: 

This is a follow-on to CVE-2025-68161. While hostname verification was fixed for the log4j2.sslVerifyHostName system property, the verifyHostName attribute on the <Ssl> element was effectively ignored through version 2.25.3. This could allow Man-in-the-Middle (MITM) attacks in affected appender setups (CWE-297).

CA Automic Applications Manager (AM) version 9.6.2 and older

Exploitation of this vulnerability requires a specific application configuration:

1. Use of Log4j Core with SMTP, Socket, or Syslog appenders.
2. TLS must be enabled via a nested <Ssl> configuration.
3. An attacker must be on the network path and able to present a trusted certificate.
4. The application must rely on the verifyHostName attribute on the <Ssl> element for protection.

Applications Manager is not exploitable for CVE-2026-34477.

Applications Manager does not use SMTP, Socket, or Syslog appenders with <Ssl>-based TLS in the vulnerable pattern described by this CVE. Therefore, the vulnerability is not applicable to AM.

Future Remediation

To address the concerns raised by security scanners, Broadcom will upgrade the Log4j libraries to version 2.25.4 (or newer) in the following upcoming releases:

• Applications Manager 9.6.3
• Applications Manager 10.0

If you have further questions regarding your specific scan results, please contact Broadcom Support.