Vulnerability scans may flag CA Automic Applications Manager (AM) for CVE-2026-34478 due to the presence of Apache Log4j versions 2.21.0 through 2.25.3.

CVE-2026-34478 Summary: 

This vulnerability involves log injection and framing issues within the Rfc5424Layout component. Due to silent renames of security settings, newline escaping can fail for TCP syslog framing (RFC 6587). This can lead to CRLF/log injection or cause TLS syslog users to be downgraded to unframed TCP without proper escaping (CWE-117, CWE-684).

CA Automic Applications Manager (AM) 9.6.2 and older

The vulnerability only applies if the following conditions are met:

1. Use of Log4j Core versions 2.21.0 through 2.25.3.
2. Use of stream-based syslog with Rfc5424Layout configured directly.
3. An attacker can influence log message content such that CRLF sequences impact the receiving syslog/XML pipeline.

Note: Apache has explicitly stated that users of the standard SyslogAppender alone are not affected, as its attributes were not changed in the same way.

Applications Manager is not exploitable for CVE-2026-34478.

Applications Manager does not use the Rfc5424Layout directly in an affected syslog streaming setup. As AM utilizes the standard SyslogAppender configuration which is confirmed as unaffected by Apache, the vulnerability is not applicable.

Future Remediation

While the current configuration is not exploitable, Broadcom will remediate the presence of the older libraries by upgrading Log4j to version 2.25.4 (or newer) in the following releases:

• Applications Manager 9.6.3
• Applications Manager 10.0

For additional information or assistance with security audit justifications, please contact Broadcom Support.