Security vulnerability scanners may flag CA Process Automation (ITPAM) as susceptible to the following Apache Log4j vulnerabilities due to the presence of Log4j 2.17.2 libraries:

CVE-2026-34479: Silent log event loss in Log4j1XmlLayout (Impacts Log4j 2.0-beta9 < 2.25.4)
CVE-2026-34480: XmlLayout Invalid XML Output (Impacts Log4j 2.0-alpha1 < 2.25.4)

Scanners typically identify these based on the version of log4j-core-####.jar found in the installation directories.

Is Process Automation affected by Log4j CVE-2026-34480 & CVE-2026-34479 (Log4j1XmlLayout) vulnerabilities ?

CVE-2026-34479
CVE-2026-34480

Process Automation 4.4

The vulnerability is specific to the use of XML-based layouts (XmlLayout or Log4j1XmlLayout) within the Log4j configuration. While the libraries are present in the ITPAM environment, the application's default logging configuration does not utilize these specific components.

Process Automation is not affected by these vulnerabilities.

We can safely ignore the mentioned vulnerability.
In ITPAM, log4j2.xml is safely configured and is not using XmlLayout and Log4j1XmlLayout components 

For CONSOLE and C2OFILE, ITPAM is using PatternLayout which is plain text pattern rather than XML.

Example in C:\Program Files\CA\PAM\wildfly\standalone\conf\log4j2.xml :

    <Console name="CONSOLE" target="SYSTEM_OUT">
      <PatternLayout pattern="%d %-5p [%c] %m%n" />
    </Console>

    <RollingFile name="C2OFILE">
      <FileName>${sys:jboss.server.log.dir}/c2o.log</FileName>
      <FilePattern>${sys:jboss.server.log.dir}/c2o.log.%i</FilePattern>
      <PatternLayout>
        <Pattern>%d %-5p [%c] [%15.15t] %m%n</Pattern>
      </PatternLayout>