The reported vulnerabilities are as follows:

• (CVE-2026-34477) for Apache Log4j  
• (CVE-2026-34483, CVE-2026-34486, CVE-2026-34487, CVE-2026-34500) for Apache Tomcat 
  
  

IOM 9.1.2 uses the following versions of Apache Log4j and Apache Tomcat which are reportedly impacted by the vulnerabilities:

1) Impacted component: log4j-core.jar
    Installed version : 2.25.3

2) Impacted component: log4j.jar
    Installed version : 2.17.1
  
3) Impacted component: tomcat
    Installed version : 9.0.115

There are currently no plans to address this issue through a patch or hotfix in the current or previous versions of the software. However, it is scheduled to be resolved in the next major product revision (IOM 9.2 due in June 2026).

Please note that the Product Engineering team reserves the right to remove any fix from the targeted release if it does not pass quality assurance tests. Our plans are subject to change, and any actions you take based on this information, or your reliance on it, are at your own risk.

For Infoscale Operations Manager (IOM) 9.1.2, several vulnerabilities are reported for Apache Log4j and Apache Tomcat