Source: apache-log4j2
Version: 2.19.0-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/apache/logging-log4j2/pull/4163
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for apache-log4j2.

CVE-2026-49844[0]:
| Improper encoding of non-finite floating-point values during
| MapMessage JSON serialization in Apache Log4j API produces output
| that is not valid JSON. This issue affects Apache Log4j API versions
| 2.13.1 through 2.25.4 and version 2.26.0.  The fix for
| CVE-2026-34481 did not cover all code paths: when a MapMessage
| contains a non-finite IEEE 754 value (NaN, Infinity, or -Infinity),
| MapMessage.asJson() emits the corresponding bare token. RFC 8259
| does not permit these tokens, so a conformant parser rejects the
| resulting document.  The defect is reachable only when both of the
| following conditions hold:    *  The application uses the  message
| resolver https://logging.apache.org/log4j/2.x/manual/json-template-
| layout.html#event-template-resolver-message  of JsonTemplateLayout
| or any other layout that relies on MapMessage.asJson() or
| MapMessage.getFormattedMessage(new String[]{"JSON"}).   *  The
| application logs a MapMessage that contains an attacker-controlled
| floating-point value.   An attacker who can supply a non-finite
| value can cause the affected layout to emit malformed JSON, which
| may corrupt the enclosing log record or disrupt downstream log
| ingestion and parsing.  Users are advised to upgrade to Apache Log4j
| API 2.25.5 or 2.26.1, both of which emit RFC 8259-compliant JSON for
| non-finite values.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-49844
    https://www.cve.org/CVERecord?id=CVE-2026-49844
[1] https://logging.apache.org/security.html#CVE-2026-49844
[2] https://github.com/apache/logging-log4j2/pull/4163
[3] 
https://github.com/apache/logging-log4j2/commit/19edb23e162d6c728a8c2221a240037d389ed300

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply via email to