Apache Log4j 2.12.0 < 2.25.4 SSL Hostname Verification Bypass (CVE-2026-34477)

Which IIQ version are you inquiring about?

8.4p3

Please share any other relevant files that may be required (for example, logs).

Apache Log4j 2.12.0 < 2.25.4 SSL Hostname Verification Bypass (CVE-2026-34477)

Share all details about your problem, including any error messages you may have received.

Is there official remediation for CVE-2026-34477 in SailPoint IdentityIQ 8.3p3 and whether Log4j 2.25.4 can be deployed as a direct library replacement, or whether an IdentityIQ patch or hotfix is required.

@fghafour Based on NIST site, solution is not completed yet: NVD - CVE-2026-34477

“The fix for CVE-2025-68161 Security :: Apache Logging Services was incomplete: it addressed hostname verification only when enabled via the log4j2.sslVerifyHostName”

You can refer to this.

CVE-2026-34477: Apache Log4j Core: verifyHostName attribute silently ignored in TLS configuration, allowing hostname verification bypass-Apache Mail Archives

NVD - CVE-2026-34477