Skip to content

Update dependency org.apache.logging.log4j:log4j-core to v2.25.4 [SECURITY]#26

Open
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/maven-org.apache.logging.log4j-log4j-core-vulnerability
Open

Update dependency org.apache.logging.log4j:log4j-core to v2.25.4 [SECURITY]#26
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/maven-org.apache.logging.log4j-log4j-core-vulnerability

Conversation

@renovate
Copy link
Copy Markdown

@renovate renovate Bot commented Mar 18, 2023
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
org.apache.logging.log4j:log4j-core (source) 2.13.32.25.4 age confidence

Improper Input Validation and Injection in Apache Log4j2

CVE-2021-44832 / GHSA-8489-44mv-ggj8

More information

Details

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to an attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

Affected packages

Only the org.apache.logging.log4j:log4j-core package is directly affected by this vulnerability. The org.apache.logging.log4j:log4j-api should be kept at the same version as the org.apache.logging.log4j:log4j-core package to ensure compatability if in use.

This issue does not impact default configurations of Log4j2 and requires an attacker to have control over the Log4j2 configuration, which reduces the likelihood of being exploited.

Severity

  • CVSS Score: 6.6 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Apache Log4j does not verify the TLS hostname in its Socket Appender

CVE-2025-68161 / GHSA-vc5p-v9hr-52mj

More information

Details

The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName configuration attribute or the log4j2.sslVerifyHostName system property is set to true.

This issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following conditions:

  • The attacker is able to intercept or redirect network traffic between the client and the log receiver.
  • The attacker can present a server certificate issued by a certification authority trusted by the Socket Appender’s configured trust store (or by the default Java trust store if no custom trust store is configured).

Users are advised to upgrade to Apache Log4j Core version 2.25.3, which addresses this issue.

As an alternative mitigation, the Socket Appender may be configured to use a private or restricted trust root to limit the set of trusted certificates.

Severity

  • CVSS Score: 6.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Apache Log4j Core: Silent log event loss in XmlLayout due to unescaped XML 1.0 forbidden characters

CVE-2026-34480 / GHSA-3pxv-7cmr-fjr4

More information

Details

Apache Log4j Core's XmlLayout, in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification, producing invalid XML output whenever a log message or MDC value contains such characters.

The impact depends on the StAX implementation in use:

  • JRE built-in StAX: Forbidden characters are silently written to the output, producing malformed XML. Conforming parsers must reject such documents with a fatal error, which may cause downstream log-processing systems to drop the affected records.
  • Alternative StAX implementations (e.g., Woodstox, a transitive dependency of the Jackson XML Dataformat module): An exception is thrown during the logging call, and the log event is never delivered to its intended appender, only to Log4j's internal status logger.

Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue by sanitizing forbidden characters before XML output.

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Apache Log4j Core: verifyHostName attribute silently ignored in TLS configuration

CVE-2026-34477 / GHSA-6hg6-v5c8-fphq

More information

Details

The fix for CVE-2025-68161 was incomplete: it addressed hostname verification only when enabled via the log4j2.sslVerifyHostName system property, but not when configured through the verifyHostName attribute of the <Ssl> element.

Although the verifyHostName configuration attribute was introduced in Log4j Core 2.12.0, it was silently ignored in all versions through 2.25.3, leaving TLS connections vulnerable to interception regardless of the configured value.

A network-based attacker may be able to perform a man-in-the-middle attack when all of the following conditions are met:

  • An SMTP, Socket, or Syslog appender is in use.
  • TLS is configured via a nested element.
  • The attacker can present a certificate issued by a CA trusted by the appender's configured trust store, or by the default Java trust store if none is configured.

This issue does not affect users of the HTTP appender, which uses a separate verifyHostname attribute that was not subject to this bug and verifies host names by default.

Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.

Severity

  • CVSS Score: 6.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot changed the title Update dependency org.apache.logging.log4j:log4j-core to v2.17.1 [SECURITY] Update dependency org.apache.logging.log4j:log4j-core to v2.17.1 [SECURITY] - autoclosed Jun 9, 2023
@renovate renovate Bot closed this Jun 9, 2023
@renovate renovate Bot deleted the renovate/maven-org.apache.logging.log4j-log4j-core-vulnerability branch June 9, 2023 12:45
@renovate renovate Bot changed the title Update dependency org.apache.logging.log4j:log4j-core to v2.17.1 [SECURITY] - autoclosed Update dependency org.apache.logging.log4j:log4j-core to v2.17.1 [SECURITY] Jun 9, 2023
@renovate renovate Bot reopened this Jun 9, 2023
@renovate renovate Bot restored the renovate/maven-org.apache.logging.log4j-log4j-core-vulnerability branch June 9, 2023 17:03
@renovate renovate Bot force-pushed the renovate/maven-org.apache.logging.log4j-log4j-core-vulnerability branch from 5ecb007 to eeeff19 Compare June 9, 2023 17:03
@renovate renovate Bot force-pushed the renovate/maven-org.apache.logging.log4j-log4j-core-vulnerability branch from eeeff19 to 81a3685 Compare December 19, 2025 22:48
@renovate renovate Bot changed the title Update dependency org.apache.logging.log4j:log4j-core to v2.17.1 [SECURITY] Update dependency org.apache.logging.log4j:log4j-core to v2.25.3 [SECURITY] Dec 19, 2025
@renovate renovate Bot changed the title Update dependency org.apache.logging.log4j:log4j-core to v2.25.3 [SECURITY] Update dependency org.apache.logging.log4j:log4j-core to v2.25.3 [SECURITY] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot deleted the renovate/maven-org.apache.logging.log4j-log4j-core-vulnerability branch March 27, 2026 02:46
@renovate renovate Bot changed the title Update dependency org.apache.logging.log4j:log4j-core to v2.25.3 [SECURITY] - autoclosed Update dependency org.apache.logging.log4j:log4j-core to v2.25.3 [SECURITY] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/maven-org.apache.logging.log4j-log4j-core-vulnerability branch 2 times, most recently from 81a3685 to bbde771 Compare March 30, 2026 19:04
@renovate renovate Bot force-pushed the renovate/maven-org.apache.logging.log4j-log4j-core-vulnerability branch from bbde771 to 99a6a3d Compare April 10, 2026 22:51
@renovate renovate Bot changed the title Update dependency org.apache.logging.log4j:log4j-core to v2.25.3 [SECURITY] Update dependency org.apache.logging.log4j:log4j-core to v2.25.4 [SECURITY] Apr 10, 2026
@renovate renovate Bot changed the title Update dependency org.apache.logging.log4j:log4j-core to v2.25.4 [SECURITY] Update dependency org.apache.logging.log4j:log4j-core to v2.25.4 [SECURITY] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot changed the title Update dependency org.apache.logging.log4j:log4j-core to v2.25.4 [SECURITY] - autoclosed Update dependency org.apache.logging.log4j:log4j-core to v2.25.4 [SECURITY] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/maven-org.apache.logging.log4j-log4j-core-vulnerability branch 2 times, most recently from 99a6a3d to b5d1bad Compare April 27, 2026 20:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants