This is an automated email from the ASF dual-hosted git repository.
github-actions[bot] pushed a commit to branch main-site-stg-out
in repository https://gitbox.apache.org/repos/asf/logging-site.git
The following commit(s) were added to refs/heads/main-site-stg-out by this push:
new 173084a2 Add website content generated from
`3dc5d3665dc95034a473574613c435666fede7d1`
173084a2 is described below
commit 173084a24c7945650b7e9ca42380a00a5a998c08
Author: ASF Logging Services RM <[email protected]>
AuthorDate: Fri Jul 10 21:10:00 2026 +0000
Add website content generated from
`3dc5d3665dc95034a473574613c435666fede7d1`
---
cyclonedx/vdr.xml | 84 ++++++++++++++++++++++++++++++++++++++++++---
security.html | 100 +++++++++++++++++++++++++++++++++++++++++++++++++++++-
sitemap.xml | 42 +++++++++++------------
3 files changed, 199 insertions(+), 27 deletions(-)
diff --git a/cyclonedx/vdr.xml b/cyclonedx/vdr.xml
index f7f0739a..861e5d77 100644
--- a/cyclonedx/vdr.xml
+++ b/cyclonedx/vdr.xml
@@ -40,11 +40,11 @@
<bom xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://cyclonedx.org/schema/bom/1.6"
xsi:schemaLocation="http://cyclonedx.org/schema/bom/1.6
https://cyclonedx.org/schema/bom-1.6.xsd"
- version="7"
+ version="8"
serialNumber="urn:uuid:dfa35519-9734-4259-bba1-3e825cf4be06">
<metadata>
- <timestamp>2026-04-10T11:53:17Z</timestamp>
+ <timestamp>2026-07-10T20:53:31Z</timestamp>
<manufacturer>
<name>Apache Logging Services</name>
<url>https://logging.apache.org</url>
@@ -62,6 +62,12 @@
<name>Log4cxx</name>
<purl>pkg:conan/log4cxx</purl>
</component>
+ <component type="library" bom-ref="log4j-api">
+ <group>org.apache.logging.log4j</group>
+ <name>log4j-api</name>
+ <cpe>cpe:2.3:a:apache:log4j_api:*:*:*:*:*:*:*:*</cpe>
+ <purl>pkg:maven/org.apache.logging.log4j/log4j-api?type=jar</purl>
+ </component>
<component type="library" bom-ref="log4j-core">
<group>org.apache.logging.log4j</group>
<name>log4j-core</name>
@@ -89,6 +95,71 @@
<vulnerabilities>
+ <vulnerability>
+ <id>CVE-2026-49844</id>
+ <source>
+ <name>NVD</name>
+ <url>https://nvd.nist.gov/vuln/detail/CVE-2026-49844</url>
+ </source>
+ <ratings>
+ <rating>
+ <source>
+ <name>The Apache Software Foundation</name>
+ <url>
+
<![CDATA[https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N]]></url>
+ </source>
+ <score>6.3</score>
+ <severity>medium</severity>
+ <method>CVSSv4</method>
+
<vector>AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N</vector>
+ </rating>
+ </ratings>
+ <cwes>
+ <cwe>116</cwe>
+ </cwes>
+ <description><![CDATA[Improper encoding of non-finite floating-point
values during `MapMessage` JSON serialization in Apache Log4j API produces
output that is not valid JSON.
+This issue affects Apache Log4j API versions 2.13.1 through 2.25.4 and version
2.26.0.
+
+The fix for CVE-2026-34481 did not cover all code paths: when a `MapMessage`
contains a non-finite IEEE 754 value (`NaN`, `Infinity`, or `-Infinity`),
`MapMessage.asJson()` emits the corresponding bare token.
+RFC 8259 does not permit these tokens, so a conformant parser rejects the
resulting document.
+
+The defect is reachable only when both of the following conditions hold:
+
+* The application uses the
+https://logging.apache.org/log4j/2.x/manual/json-template-layout.html#event-template-resolver-message[`message`
resolver]
+of `JsonTemplateLayout`, or any other layout that relies on
`MapMessage.asJson()` or `MapMessage.getFormattedMessage(new String[]
{"JSON"})`.
+* The application logs a `MapMessage` that contains an attacker-controlled
floating-point value.
+
+An attacker who can supply a non-finite value can cause the affected layout to
emit malformed JSON, which may corrupt the enclosing log record or disrupt
downstream log ingestion and parsing.]]></description>
+ <recommendation><![CDATA[Users are advised to upgrade to Apache Log4j
API version `2.25.5` or `2.26.1`, both of which emit RFC 8259-compliant JSON
for non-finite values.]]></recommendation>
+ <created>2026-07-10T20:53:31Z</created>
+ <published>2026-07-10T20:53:31Z</published>
+ <updated>2026-07-10T20:53:31Z</updated>
+ <credits>
+ <individuals>
+ <individual>
+ <name>Himanshu Anand</name>
+ </individual>
+ </individuals>
+ </credits>
+ <affects>
+ <target>
+ <ref>log4j-api</ref>
+ <versions>
+ <version>
+ <range><![CDATA[vers:maven/>=2.13.1|<2.25.5]]></range>
+ </version>
+ <version>
+ <range><![CDATA[vers:maven/>=2.26.0|<2.26.1]]></range>
+ </version>
+ <version>
+
<range><![CDATA[vers:maven/>=3.0.0-alpha1|<=3.0.0-beta2]]></range>
+ </version>
+ </versions>
+ </target>
+ </affects>
+ </vulnerability>
+
<vulnerability>
<id>CVE-2026-40023</id>
<source>
@@ -235,11 +306,14 @@ This may cause downstream log processing systems to
reject or fail to index affe
An attacker can exploit this issue only if both of the following conditions
are met:
* The application uses `JsonTemplateLayout`.
-* The application logs a `MapMessage` containing an attacker-controlled
floating-point value.]]></description>
- <recommendation><![CDATA[Users are advised to upgrade to Apache Log4j
JSON Template Layout version `2.25.4`, which corrects this
issue.]]></recommendation>
+* The application logs a `MapMessage`, or logs an object directly (e.g., via
`Logger.info(Object)`, which wraps it in an `ObjectMessage`), where the message
contains an attacker-controlled floating-point value.]]></description>
+ <recommendation><![CDATA[Users are advised to upgrade to Apache Log4j
JSON Template Layout version `2.25.4`, which corrects this issue.
+
+NOTE: The fix released in version `2.25.4` did not cover all affected code
paths.
+CVE-2026-49844 was assigned to the remaining issue, which concerns the
`MapMessage.asJson()` serialization in Apache Log4j API and is fixed in
versions `2.25.5` and `2.26.1`.]]></recommendation>
<created>2026-04-10T11:53:17Z</created>
<published>2026-04-10T11:53:17Z</published>
- <updated>2026-04-10T11:53:17Z</updated>
+ <updated>2026-07-10T20:53:31Z</updated>
<credits>
<individuals>
<individual>
diff --git a/security.html b/security.html
index b0bcbb0f..7d09a47b 100644
--- a/security.html
+++ b/security.html
@@ -788,6 +788,91 @@ We choose to pool all information on this one page,
allowing easy searching for
</table>
</div>
<div class="sect2">
+<h3 id="CVE-2026-49844"><a class="anchor" href="#CVE-2026-49844"></a><a
href="https://nvd.nist.gov/vuln/detail/CVE-2026-49844">CVE-2026-49844</a></h3>
+<table class="tableblock frame-all grid-all stretch">
+<colgroup>
+<col style="width: 16.6666%;">
+<col style="width: 83.3334%;">
+</colgroup>
+<tbody>
+<tr>
+<th class="tableblock halign-left valign-top"><p
class="tableblock">Summary</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Improper
serialization of non-finite floating-point values in
<code>MapMessage.asJson()</code></p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 4.x
Score & Vector</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">6.3 MEDIUM
(CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N)</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Components
affected</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>log4j-api</code></p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
affected</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>[2.13.1, 2.25.5) ∪ [2.26.0, 2.26.1) ∪ [3.0.0-alpha1,
3.0.0-beta2]</code></p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
fixed</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>2.25.5</code> and <code>2.26.1</code></p></td>
+</tr>
+</tbody>
+</table>
+<div class="sect3">
+<h4 id="CVE-2026-49844-description"><a class="anchor"
href="#CVE-2026-49844-description"></a>Description</h4>
+<div class="paragraph">
+<p>Improper encoding of non-finite floating-point values during
<code>MapMessage</code> JSON serialization in Apache Log4j API produces output
that is not valid JSON.
+This issue affects Apache Log4j API versions 2.13.1 through 2.25.4 and version
2.26.0.</p>
+</div>
+<div class="paragraph">
+<p>The fix for <a href="#CVE-2026-34481">CVE-2026-34481</a> did not cover all
code paths: when a <code>MapMessage</code> contains a non-finite IEEE 754 value
(<code>NaN</code>, <code>Infinity</code>, or <code>-Infinity</code>),
<code>MapMessage.asJson()</code> emits the corresponding bare token.
+RFC 8259 does not permit these tokens, so a conformant parser rejects the
resulting document.</p>
+</div>
+<div class="paragraph">
+<p>The defect is reachable only when both of the following conditions hold:</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p>The application uses the
+<a
href="https://logging.apache.org/log4j/2.x/manual/json-template-layout.html#event-template-resolver-message"><code>message</code>
resolver</a>
+of <code>JsonTemplateLayout</code>, or any other layout that relies on
<code>MapMessage.asJson()</code> or <code>MapMessage.getFormattedMessage(new
String[] {"JSON"})</code>.</p>
+</li>
+<li>
+<p>The application logs a <code>MapMessage</code> that contains an
attacker-controlled floating-point value.</p>
+</li>
+</ul>
+</div>
+<div class="paragraph">
+<p>An attacker who can supply a non-finite value can cause the affected layout
to emit malformed JSON, which may corrupt the enclosing log record or disrupt
downstream log ingestion and parsing.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2026-49844-remediation"><a class="anchor"
href="#CVE-2026-49844-remediation"></a>Remediation</h4>
+<div class="paragraph">
+<p>Users are advised to upgrade to Apache Log4j API version
<code>2.25.5</code> or <code>2.26.1</code>, both of which emit RFC
8259-compliant JSON for non-finite values.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2026-49844-credits"><a class="anchor"
href="#CVE-2026-49844-credits"></a>Credits</h4>
+<div class="paragraph">
+<p>This issue was discovered by Himanshu Anand.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2026-49844-references"><a class="anchor"
href="#CVE-2026-49844-references"></a>References</h4>
+<div class="ulist">
+<ul>
+<li>
+<p><a
href="https://nvd.nist.gov/vuln/detail/CVE-2026-49844">CVE-2026-49844</a></p>
+</li>
+<li>
+<p><a href="https://github.com/apache/logging-log4j2/pull/4163">Pull request
that fixes the issue</a></p>
+</li>
+</ul>
+</div>
+</div>
+</div>
+<div class="sect2">
<h3 id="CVE-2026-40023"><a class="anchor" href="#CVE-2026-40023"></a><a
href="https://nvd.nist.gov/vuln/detail/CVE-2026-40023">CVE-2026-40023</a></h3>
<table class="tableblock frame-all grid-all stretch">
<colgroup>
@@ -976,7 +1061,7 @@ This may cause downstream log processing systems to reject
or fail to index affe
<p>The application uses <code>JsonTemplateLayout</code>.</p>
</li>
<li>
-<p>The application logs a <code>MapMessage</code> containing an
attacker-controlled floating-point value.</p>
+<p>The application logs a <code>MapMessage</code>, or logs an object directly
(e.g., via <code>Logger.info(Object)</code>, which wraps it in an
<code>ObjectMessage</code>), where the message contains an attacker-controlled
floating-point value.</p>
</li>
</ul>
</div>
@@ -986,6 +1071,19 @@ This may cause downstream log processing systems to
reject or fail to index affe
<div class="paragraph">
<p>Users are advised to upgrade to Apache Log4j JSON Template Layout version
<code>2.25.4</code>, which corrects this issue.</p>
</div>
+<div class="admonitionblock note">
+<table>
+<tr>
+<td class="icon">
+<i class="fa icon-note" title="Note"></i>
+</td>
+<td class="content">
+The fix released in version <code>2.25.4</code> did not cover all affected
code paths.
+<a href="#CVE-2026-49844">CVE-2026-49844</a> was assigned to the remaining
issue, which concerns the <code>MapMessage.asJson()</code> serialization in
Apache Log4j API and is fixed in versions <code>2.25.5</code> and
<code>2.26.1</code>.
+</td>
+</tr>
+</table>
+</div>
</div>
<div class="sect3">
<h4 id="CVE-2026-34481-credits"><a class="anchor"
href="#CVE-2026-34481-credits"></a>Credits</h4>
diff --git a/sitemap.xml b/sitemap.xml
index c72d1049..274dba69 100644
--- a/sitemap.xml
+++ b/sitemap.xml
@@ -2,86 +2,86 @@
<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
<url>
<loc>https://logging.apache.org/blog/20231117-flume-joins-logging-services.html</loc>
-<lastmod>2026-07-09T17:24:37.746Z</lastmod>
+<lastmod>2026-07-10T21:09:58.261Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/blog/20231128-new-pmc-member.html</loc>
-<lastmod>2026-07-09T17:24:37.746Z</lastmod>
+<lastmod>2026-07-10T21:09:58.261Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/blog/20231202-apache-common-logging-1.3.0.html</loc>
-<lastmod>2026-07-09T17:24:37.746Z</lastmod>
+<lastmod>2026-07-10T21:09:58.261Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/blog/20231214-announcing-support-from-the-stf.html</loc>
-<lastmod>2026-07-09T17:24:37.746Z</lastmod>
+<lastmod>2026-07-10T21:09:58.261Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/blog/20231218-20-years-of-innovation.html</loc>
-<lastmod>2026-07-09T17:24:37.746Z</lastmod>
+<lastmod>2026-07-10T21:09:58.261Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/blog/20240725-Log4j-At-Community-Over-Code-2024.html</loc>
-<lastmod>2026-07-09T17:24:37.746Z</lastmod>
+<lastmod>2026-07-10T21:09:58.261Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/blog/20240808-welcome-to-the-pmc-jan.html</loc>
-<lastmod>2026-07-09T17:24:37.746Z</lastmod>
+<lastmod>2026-07-10T21:09:58.261Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/blog/20240812-log4j-bug-bounty.html</loc>
-<lastmod>2026-07-09T17:24:37.746Z</lastmod>
+<lastmod>2026-07-10T21:09:58.261Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/blog/20250728-introduction-to-vex-files.html</loc>
-<lastmod>2026-07-09T17:24:37.746Z</lastmod>
+<lastmod>2026-07-10T21:09:58.261Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/blog/index.html</loc>
-<lastmod>2026-07-09T17:24:37.746Z</lastmod>
+<lastmod>2026-07-10T21:09:58.261Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/charter.html</loc>
-<lastmod>2026-07-09T17:24:37.746Z</lastmod>
+<lastmod>2026-07-10T21:09:58.261Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/download.html</loc>
-<lastmod>2026-07-09T17:24:37.746Z</lastmod>
+<lastmod>2026-07-10T21:09:58.261Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/guidelines.html</loc>
-<lastmod>2026-07-09T17:24:37.746Z</lastmod>
+<lastmod>2026-07-10T21:09:58.261Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/index.html</loc>
-<lastmod>2026-07-09T17:24:37.746Z</lastmod>
+<lastmod>2026-07-10T21:09:58.261Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/processes.html</loc>
-<lastmod>2026-07-09T17:24:37.746Z</lastmod>
+<lastmod>2026-07-10T21:09:58.261Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/security.html</loc>
-<lastmod>2026-07-09T17:24:37.746Z</lastmod>
+<lastmod>2026-07-10T21:09:58.261Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/security/faq.html</loc>
-<lastmod>2026-07-09T17:24:37.746Z</lastmod>
+<lastmod>2026-07-10T21:09:58.261Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/support.html</loc>
-<lastmod>2026-07-09T17:24:37.746Z</lastmod>
+<lastmod>2026-07-10T21:09:58.261Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/team-list.html</loc>
-<lastmod>2026-07-09T17:24:37.746Z</lastmod>
+<lastmod>2026-07-10T21:09:58.261Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/what-is-logging.html</loc>
-<lastmod>2026-07-09T17:24:37.746Z</lastmod>
+<lastmod>2026-07-10T21:09:58.261Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/xml/ns/index.html</loc>
-<lastmod>2026-07-09T17:24:37.746Z</lastmod>
+<lastmod>2026-07-10T21:09:58.261Z</lastmod>
</url>
</urlset>