You identify security vulnerabilities related to the following paths in your environment:

• ####/###/###/###/product/workstation/plugins/log4j-over-slf4j_1.7.36.jar
• ####/###/###/###/product/enterprisemanager/plugins/log4j-over-slf4j_1.7.36.jar

The reported vulnerability is CVE-2025-68161, which concerns Apache Log4j Core.

• CA Application Performance Management (APM) 10.8
• Introscope WebView 10.8.0.86

The vulnerability CVE-2025-68161 is a false positive for CA APM. This vulnerability specifically affects Apache Log4j versions 2.x. The file identified in the scan, log4j-over-slf4j_1.7.36.jar, is part of the Simple Logging Facade for Java (SLF4J). It acts as a bridge or facade for components that attempt to log via Log4j 1.x interfaces, redirecting them to the logging framework used by APM, which is logback. Because the product does not use or ship with Apache Log4j Core 2.x, the system is not affected by this vulnerability.

You are not affected by CVE-2025-68161 because the vulnerable Apache Log4j 2.x components are not utilized by CA APM.

While the product is not affected, Broadcom recommends that you update to the latest version (10.8.0.230) to ensure your system remains current.