fix(deps): update log4j.version to v2.25.4 [security]#2000
Open
renovate-bot wants to merge 1 commit into
Open
Conversation
…2.25.4 [security]
renovate-bot
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.25.3→2.25.42.25.3→2.25.4Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Apache Log4j Core: Silent log event loss in XmlLayout due to unescaped XML 1.0 forbidden characters
CVE-2026-34480 / GHSA-3pxv-7cmr-fjr4
More information
Details
Apache Log4j Core's
XmlLayout, in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification, producing invalid XML output whenever a log message or MDC value contains such characters.The impact depends on the StAX implementation in use:
Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue by sanitizing forbidden characters before XML output.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Apache Log4j Core: log injection in
Rfc5424Layoutdue to silent configuration incompatibilityCVE-2026-34478 / GHSA-445c-vh5m-36rj
More information
Details
Apache Log4j Core's
Rfc5424Layout, in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes.Two distinct issues affect users of stream-based syslog services who configure Rfc5424Layout directly:
newLineEscapeattribute was silently renamed, causing newline escaping to stop working for users of TCP framing (RFC 6587), exposing them to CRLF injection in log output.useTlsMessageFormatattribute was silently renamed, causing users of TLS framing (RFC 5425) to be silently downgraded to unframed TCP (RFC 6587), without newline escaping.Users of the
SyslogAppenderare not affected, as its configuration attributes were not modified.Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Apache Log4j Core:
verifyHostNameattribute silently ignored in TLS configurationCVE-2026-34477 / GHSA-6hg6-v5c8-fphq
More information
Details
The fix for CVE-2025-68161 was incomplete: it addressed hostname verification only when enabled via the
log4j2.sslVerifyHostNamesystem property, but not when configured through theverifyHostNameattribute of the<Ssl>element.Although the
verifyHostNameconfiguration attribute was introduced in Log4j Core 2.12.0, it was silently ignored in all versions through 2.25.3, leaving TLS connections vulnerable to interception regardless of the configured value.A network-based attacker may be able to perform a man-in-the-middle attack when all of the following conditions are met:
This issue does not affect users of the HTTP appender, which uses a separate
verifyHostnameattribute that was not subject to this bug and verifies host names by default.Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.
Severity
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Apache Log4j 1 to Log4j 2 bridge: silent log event loss in Log4j1XmlLayout due to unescaped XML 1.0 forbidden characters
CVE-2026-34479 / GHSA-h383-gmxw-35v2
More information
Details
The
Log4j1XmlLayoutfrom the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records.Two groups of users are affected:
Log4j1XmlLayoutdirectly in a Log4j Core 2 configuration file.org.apache.log4j.xml.XMLLayoutspecified as the layout class.Users are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge version
2.25.4, which corrects this issue.Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated by Mend Renovate. View the repository job log.