A security vulnerability scan may flag ESP dSeries Workload Automation 25.0 as susceptible to the following Apache Log4j vulnerabilities due to the presence of Log4j version 2.24.3 libraries:

• CVE-2026-34477: SSL Hostname Verification Bypass (Impacts Log4j 2.12.0 < 2.25.4)
• CVE-2026-34478: Rfc5424Layout Log Injection (Impacts Log4j 2.21.0 < 2.25.4)
• CVE-2026-34480: XmlLayout Invalid XML Output (Impacts Log4j 2.0-alpha1 < 2.25.4)

• Product: ESP dSeries Workload Automation
• Release: 25.0
• Component: Server, CLI, WebUI

Security scanners typically flag software based on the version of the included library files (e.g., log4j-core-####.jar). While dSeries 25.0 includes version 2.24.3, the specific vulnerable features of Log4j are not utilized by the application.

ESP dSeries Workload Automation 25.0 is not impacted by these vulnerabilities. A technical assessment has confirmed that dSeries does not use the specific components required for exploitation:

CVE-2026-34477: SSL Hostname Verification Bypass

• Assessment: This vulnerability occurs when Log4j is configured to use network appenders (such as SyslogAppender, SMTPAppender, or SocketAppender) over a TLS/SSL connection.
• dSeries Status: Log4j configuration files (such as server.log4j.xml and cli.log4j.xml) and custom programmatic appenders exclusively use local file and memory appenders: Console, RollingFile, File, custom BufferFileAppender, and StatusAppender. No network-based appenders are configured to transmit logs externally over SSL/TLS.

CVE-2026-34478: Layout Log Injection

• Assessment: This vulnerability allows log injection if an application uses the Rfc5424Layout (often used with Syslog).
• dSeries Status: A search of dSeries configuration files and Java code confirms that Rfc5424Layout is completely unused. dSeries exclusively utilizes Log4j's PatternLayout and custom testing layouts.

CVE-2026-34480: XmlLayout Invalid XML Output

• Assessment: This issue involves Log4j producing invalid XML output when using the XmlLayout component.
• dSeries Status: The XmlLayout component is not used anywhere in the dSeries Server or CLI.

Remediation Plan

To address concerns raised by security scanners and remove the flagged library versions, Broadcom plans to upgrade the Log4j library to version 2.25.4 (or newer) in future release.