Are CA Service Management products (including Service Desk Manager) affected by the Apache Log4j vulnerabilities CVE-2026-34480 and CVE-2026-34479 (Log4j1XmlLayout)?

CVE-2026-34479
CVE-2026-34480

CA Service Management 17.4.x
CA Service Desk Manager 17.4.x

These CVEs are related to the XmlLayout and Log4j1XmlLayout components of Apache Log4j Core (versions up to and including 2.25.3). These components fail to sanitize characters forbidden by the XML 1.0 specification, which could lead to malformed XML output or log event loss.

CA Service Management and CA Service Desk are not affected by these vulnerabilities.

These products and their components strictly utilize PatternLayout for logging. They do not utilize the vulnerable XmlLayout or Log4j1XmlLayout components in their logging configurations.

Because the vulnerable components are not in use, the application is not exploitable.

While the products are not vulnerable, security scanners may still flag the presence of Log4j 2.25.3 or older libraries. Broadcom typically upgrades third-party libraries like Log4j to the latest stable versions (e.g., 2.25.4 or newer) in upcoming patches and maintenance releases to ensure ongoing compliance with security standards.