Vulnerability scans may report that CA Automic Applications Manager (AM) is susceptible to CVE-2026-34480 based on the detection of Apache Log4j libraries versions 2.0-alpha1 through 2.25.3.

CVE-2026-34480 Summary: 

The XmlLayout component in Log4j does not properly strip XML 1.0-illegal characters from log messages or Mapped Diagnostic Context (MDC) values. This results in the generation of invalid XML or logging exceptions, which can cause log events to be dropped or downstream log parsers to fail (CWE-116).

CA Automic Applications Manager version 9.6.2 and older

This issue specifically impacts environments where:

1. Log4j Core (up through 2.25.3) is used with the XmlLayout configuration.
2. An external source or attacker can inject forbidden XML characters into the logged content.

Unlike high-severity Remote Code Execution (RCE) vulnerabilities, the impact of this CVE is primarily focused on the integrity and availability of logging data.

Resolution

Applications Manager is not exploitable for CVE-2026-34480.

Applications Manager does not utilize the XmlLayout component in its logging configuration. Since the vulnerable component is not in use, the vulnerability cannot be exploited within the AM application.

Remediation Plan

To ensure vulnerability scanners no longer flag these libraries, Broadcom is scheduled to upgrade the Log4j library to version 2.25.4 (or newer) in the following releases:

• Applications Manager 9.6.3
• Applications Manager 10.0

Please reach out to Broadcom Support if you require further technical justification for your security compliance teams.