Source: apache-log4j2 Version: 2.19.0-2 Severity: important Tags: security upstream Forwarded: https://github.com/apache/logging-log4j2/pull/4163 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for apache-log4j2. CVE-2026-49844[0]: | Improper encoding of non-finite floating-point values during | MapMessage JSON serialization in Apache Log4j API produces output | that is not valid JSON. This issue affects Apache Log4j API versions | 2.13.1 through 2.25.4 and version 2.26.0. The fix for | CVE-2026-34481 did not cover all code paths: when a MapMessage | contains a non-finite IEEE 754 value (NaN, Infinity, or -Infinity), | MapMessage.asJson() emits the corresponding bare token. RFC 8259 | does not permit these tokens, so a conformant parser rejects the | resulting document. The defect is reachable only when both of the | following conditions hold: * The application uses the message | resolver https://logging.apache.org/log4j/2.x/manual/json-template- | layout.html#event-template-resolver-message of JsonTemplateLayout | or any other layout that relies on MapMessage.asJson() or | MapMessage.getFormattedMessage(new String[]{"JSON"}). * The | application logs a MapMessage that contains an attacker-controlled | floating-point value. An attacker who can supply a non-finite | value can cause the affected layout to emit malformed JSON, which | may corrupt the enclosing log record or disrupt downstream log | ingestion and parsing. Users are advised to upgrade to Apache Log4j | API 2.25.5 or 2.26.1, both of which emit RFC 8259-compliant JSON for | non-finite values. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-49844 https://www.cve.org/CVERecord?id=CVE-2026-49844 [1] https://logging.apache.org/security.html#CVE-2026-49844 [2] https://github.com/apache/logging-log4j2/pull/4163 [3] https://github.com/apache/logging-log4j2/commit/19edb23e162d6c728a8c2221a240037d389ed300 Please adjust the affected versions in the BTS as needed. Regards, Salvatore __ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
