This is an automated email from the ASF dual-hosted git repository.
ppkarwasz pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/logging-site.git
The following commit(s) were added to refs/heads/main by this push:
new 3dc5d366 Add CVE-2026-49844 and update CVE-2026-34481 (#40)
3dc5d366 is described below
commit 3dc5d3665dc95034a473574613c435666fede7d1
Author: Piotr P. Karwasz <[email protected]>
AuthorDate: Fri Jul 10 23:09:28 2026 +0200
Add CVE-2026-49844 and update CVE-2026-34481 (#40)
* Add CVE-2026-49844 and update CVE-2026-34481
CVE-2026-49844 covers the `MapMessage.asJson()` code path in Log4j API that
the CVE-2026-34481 fix in JSON Template Layout 2.25.4 did not reach. It affects
`log4j-api` `[2.13.1, 2.25.5)`, `[2.26.0, 2.26.1)` and `[3.0.0-alpha1,
3.0.0-beta2]`, and is fixed in 2.25.5 and 2.26.1.
CVE-2026-34481 is amended to note that an `ObjectMessage`, e.g. one
produced by `Logger.info(Object)`, is also affected, and to point at the
follow-up CVE.
Add a `log4j-api` dummy component to the VDR, bump the BOM version and
refresh the affected `updated` elements.
Assisted-By: Claude Opus 4.8 (1M context) <[email protected]>
* fix: apply Copilot suggestion
---
.../modules/ROOT/pages/_vulnerabilities.adoc | 50 ++++++++++++-
src/site/static/cyclonedx/vdr.xml | 84 ++++++++++++++++++++--
2 files changed, 128 insertions(+), 6 deletions(-)
diff --git a/src/site/antora/modules/ROOT/pages/_vulnerabilities.adoc
b/src/site/antora/modules/ROOT/pages/_vulnerabilities.adoc
index b380adfe..06b9ac0a 100644
--- a/src/site/antora/modules/ROOT/pages/_vulnerabilities.adoc
+++ b/src/site/antora/modules/ROOT/pages/_vulnerabilities.adoc
@@ -29,6 +29,51 @@ Version ranges follow the
https://github.com/package-url/vers-spec/blob/main/VER
For brevity, mathematical interval notation is used, with the union operator
(`∪`) to represent multiple ranges.
====
+[#CVE-2026-49844]
+== {cve-url-prefix}/CVE-2026-49844[CVE-2026-49844]
+
+[cols="1h,5"]
+|===
+|Summary |Improper serialization of non-finite floating-point values in
`MapMessage.asJson()`
+|CVSS 4.x Score & Vector |6.3 MEDIUM
(CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N)
+|Components affected |`log4j-api`
+|Versions affected |`[2.13.1, 2.25.5) ∪ [2.26.0, 2.26.1) ∪ [3.0.0-alpha1,
3.0.0-beta2]`
+|Versions fixed |`2.25.5` and `2.26.1`
+|===
+
+[#CVE-2026-49844-description]
+=== Description
+
+Improper encoding of non-finite floating-point values during `MapMessage` JSON
serialization in Apache Log4j API produces output that is not valid JSON.
+This issue affects Apache Log4j API versions 2.13.1 through 2.25.4 and version
2.26.0.
+
+The fix for xref:#CVE-2026-34481[CVE-2026-34481] did not cover all code paths:
when a `MapMessage` contains a non-finite IEEE 754 value (`NaN`, `Infinity`, or
`-Infinity`), `MapMessage.asJson()` emits the corresponding bare token.
+RFC 8259 does not permit these tokens, so a conformant parser rejects the
resulting document.
+
+The defect is reachable only when both of the following conditions hold:
+
+* The application uses the
+https://logging.apache.org/log4j/2.x/manual/json-template-layout.html#event-template-resolver-message[`message`
resolver]
+of `JsonTemplateLayout`, or any other layout that relies on
`MapMessage.asJson()` or `MapMessage.getFormattedMessage(new String[]
{"JSON"})`.
+* The application logs a `MapMessage` that contains an attacker-controlled
floating-point value.
+
+An attacker who can supply a non-finite value can cause the affected layout to
emit malformed JSON, which may corrupt the enclosing log record or disrupt
downstream log ingestion and parsing.
+
+[#CVE-2026-49844-remediation]
+=== Remediation
+
+Users are advised to upgrade to Apache Log4j API version `2.25.5` or `2.26.1`,
both of which emit RFC 8259-compliant JSON for non-finite values.
+
+[#CVE-2026-49844-credits]
+=== Credits
+
+This issue was discovered by Himanshu Anand.
+
+[#CVE-2026-49844-references]
+=== References
+* {cve-url-prefix}/CVE-2026-49844[CVE-2026-49844]
+* https://github.com/apache/logging-log4j2/pull/4163[Pull request that fixes
the issue]
+
[#CVE-2026-40023]
== {cve-url-prefix}/CVE-2026-40023[CVE-2026-40023]
@@ -132,13 +177,16 @@ This may cause downstream log processing systems to
reject or fail to index affe
An attacker can exploit this issue only if both of the following conditions
are met:
* The application uses `JsonTemplateLayout`.
-* The application logs a `MapMessage` containing an attacker-controlled
floating-point value.
+* The application logs a `MapMessage`, or logs an object directly (e.g., via
`Logger.info(Object)`, which wraps it in an `ObjectMessage`), where the message
contains an attacker-controlled floating-point value.
[#CVE-2026-34481-remediation]
=== Remediation
Users are advised to upgrade to Apache Log4j JSON Template Layout version
`2.25.4`, which corrects this issue.
+NOTE: The fix released in version `2.25.4` did not cover all affected code
paths.
+xref:#CVE-2026-49844[CVE-2026-49844] was assigned to the remaining issue,
which concerns the `MapMessage.asJson()` serialization in Apache Log4j API and
is fixed in versions `2.25.5` and `2.26.1`.
+
[#CVE-2026-34481-credits]
=== Credits
diff --git a/src/site/static/cyclonedx/vdr.xml
b/src/site/static/cyclonedx/vdr.xml
index f7f0739a..861e5d77 100644
--- a/src/site/static/cyclonedx/vdr.xml
+++ b/src/site/static/cyclonedx/vdr.xml
@@ -40,11 +40,11 @@
<bom xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://cyclonedx.org/schema/bom/1.6"
xsi:schemaLocation="http://cyclonedx.org/schema/bom/1.6
https://cyclonedx.org/schema/bom-1.6.xsd"
- version="7"
+ version="8"
serialNumber="urn:uuid:dfa35519-9734-4259-bba1-3e825cf4be06">
<metadata>
- <timestamp>2026-04-10T11:53:17Z</timestamp>
+ <timestamp>2026-07-10T20:53:31Z</timestamp>
<manufacturer>
<name>Apache Logging Services</name>
<url>https://logging.apache.org</url>
@@ -62,6 +62,12 @@
<name>Log4cxx</name>
<purl>pkg:conan/log4cxx</purl>
</component>
+ <component type="library" bom-ref="log4j-api">
+ <group>org.apache.logging.log4j</group>
+ <name>log4j-api</name>
+ <cpe>cpe:2.3:a:apache:log4j_api:*:*:*:*:*:*:*:*</cpe>
+ <purl>pkg:maven/org.apache.logging.log4j/log4j-api?type=jar</purl>
+ </component>
<component type="library" bom-ref="log4j-core">
<group>org.apache.logging.log4j</group>
<name>log4j-core</name>
@@ -89,6 +95,71 @@
<vulnerabilities>
+ <vulnerability>
+ <id>CVE-2026-49844</id>
+ <source>
+ <name>NVD</name>
+ <url>https://nvd.nist.gov/vuln/detail/CVE-2026-49844</url>
+ </source>
+ <ratings>
+ <rating>
+ <source>
+ <name>The Apache Software Foundation</name>
+ <url>
+
<![CDATA[https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N]]></url>
+ </source>
+ <score>6.3</score>
+ <severity>medium</severity>
+ <method>CVSSv4</method>
+
<vector>AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N</vector>
+ </rating>
+ </ratings>
+ <cwes>
+ <cwe>116</cwe>
+ </cwes>
+ <description><![CDATA[Improper encoding of non-finite floating-point
values during `MapMessage` JSON serialization in Apache Log4j API produces
output that is not valid JSON.
+This issue affects Apache Log4j API versions 2.13.1 through 2.25.4 and version
2.26.0.
+
+The fix for CVE-2026-34481 did not cover all code paths: when a `MapMessage`
contains a non-finite IEEE 754 value (`NaN`, `Infinity`, or `-Infinity`),
`MapMessage.asJson()` emits the corresponding bare token.
+RFC 8259 does not permit these tokens, so a conformant parser rejects the
resulting document.
+
+The defect is reachable only when both of the following conditions hold:
+
+* The application uses the
+https://logging.apache.org/log4j/2.x/manual/json-template-layout.html#event-template-resolver-message[`message`
resolver]
+of `JsonTemplateLayout`, or any other layout that relies on
`MapMessage.asJson()` or `MapMessage.getFormattedMessage(new String[]
{"JSON"})`.
+* The application logs a `MapMessage` that contains an attacker-controlled
floating-point value.
+
+An attacker who can supply a non-finite value can cause the affected layout to
emit malformed JSON, which may corrupt the enclosing log record or disrupt
downstream log ingestion and parsing.]]></description>
+ <recommendation><![CDATA[Users are advised to upgrade to Apache Log4j
API version `2.25.5` or `2.26.1`, both of which emit RFC 8259-compliant JSON
for non-finite values.]]></recommendation>
+ <created>2026-07-10T20:53:31Z</created>
+ <published>2026-07-10T20:53:31Z</published>
+ <updated>2026-07-10T20:53:31Z</updated>
+ <credits>
+ <individuals>
+ <individual>
+ <name>Himanshu Anand</name>
+ </individual>
+ </individuals>
+ </credits>
+ <affects>
+ <target>
+ <ref>log4j-api</ref>
+ <versions>
+ <version>
+ <range><![CDATA[vers:maven/>=2.13.1|<2.25.5]]></range>
+ </version>
+ <version>
+ <range><![CDATA[vers:maven/>=2.26.0|<2.26.1]]></range>
+ </version>
+ <version>
+
<range><![CDATA[vers:maven/>=3.0.0-alpha1|<=3.0.0-beta2]]></range>
+ </version>
+ </versions>
+ </target>
+ </affects>
+ </vulnerability>
+
<vulnerability>
<id>CVE-2026-40023</id>
<source>
@@ -235,11 +306,14 @@ This may cause downstream log processing systems to
reject or fail to index affe
An attacker can exploit this issue only if both of the following conditions
are met:
* The application uses `JsonTemplateLayout`.
-* The application logs a `MapMessage` containing an attacker-controlled
floating-point value.]]></description>
- <recommendation><![CDATA[Users are advised to upgrade to Apache Log4j
JSON Template Layout version `2.25.4`, which corrects this
issue.]]></recommendation>
+* The application logs a `MapMessage`, or logs an object directly (e.g., via
`Logger.info(Object)`, which wraps it in an `ObjectMessage`), where the message
contains an attacker-controlled floating-point value.]]></description>
+ <recommendation><![CDATA[Users are advised to upgrade to Apache Log4j
JSON Template Layout version `2.25.4`, which corrects this issue.
+
+NOTE: The fix released in version `2.25.4` did not cover all affected code
paths.
+CVE-2026-49844 was assigned to the remaining issue, which concerns the
`MapMessage.asJson()` serialization in Apache Log4j API and is fixed in
versions `2.25.5` and `2.26.1`.]]></recommendation>
<created>2026-04-10T11:53:17Z</created>
<published>2026-04-10T11:53:17Z</published>
- <updated>2026-04-10T11:53:17Z</updated>
+ <updated>2026-07-10T20:53:31Z</updated>
<credits>
<individuals>
<individual>