Security vulnerability scans often identify log4j-core.jar files within the DataMigrator utility directory as vulnerable to security threats such as CVE-2026-34480, CVE-2026-34477, and CVE-2026-34478. These findings typically involve Apache Log4j versions older than 2.25.4.

Autosys 24.x

The DataMigrator utility is a standalone tool used primarily during database or platform migration activities. It is not an active service that runs continuously in the background. Consequently, the embedded Log4j libraries are only loaded into memory during an active migration task. To satisfy security compliance without needing a software patch, Broadcom recommends archiving these files when the utility is not in use.

Recommended Mitigation: Archive and Purge

Since the utility is not required for the day-to-day operation of the Autosys Scheduler or Application Server, the original .jar files can be removed after creating a secure backup.

Remediation Steps (Unix/Linux):

This command will make changes to your system. Review it carefully before running.

This command will make changes to your system. Review it carefully before running.

1. Navigate to the DataMigrator library path
       cd <DataMigrator_dir>/lib/

2. Create a compressed backup of all log4j related jars
       tar -czvf log4j_datamigrator_backup.tar.gz log4j-*.jar

3. Remove the original jar files to clear security scan flags
       rm -f log4j-*.jar

Re-enabling DataMigrator

If a migration task is scheduled and the utility must be used:

1. Navigate back to the /<DataMigrator_dir>/lib/ directory.
2. Extract the jars from the backup: tar -xzvf log4j_datamigrator_backup.tar.gz.
3. Complete the migration activity.
4. Re-archive and remove the jars once the task is finished to maintain security compliance.

Expected Outcome

• Vulnerability scanners will no longer detect the high-risk libraries in the DataMigrator path.
• Standard Autosys operations remain unaffected.