diff --git a/src/site/antora/modules/ROOT/pages/_vulnerabilities.adoc b/src/site/antora/modules/ROOT/pages/_vulnerabilities.adoc index b380adfe..06b9ac0a 100644 --- a/src/site/antora/modules/ROOT/pages/_vulnerabilities.adoc +++ b/src/site/antora/modules/ROOT/pages/_vulnerabilities.adoc @@ -29,6 +29,51 @@ Version ranges follow the https://github.com/package-url/vers-spec/blob/main/VER For brevity, mathematical interval notation is used, with the union operator (`∪`) to represent multiple ranges. ==== +[#CVE-2026-49844] +== {cve-url-prefix}/CVE-2026-49844[CVE-2026-49844] + +[cols="1h,5"] +|=== +|Summary |Improper serialization of non-finite floating-point values in `MapMessage.asJson()` +|CVSS 4.x Score & Vector |6.3 MEDIUM (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N) +|Components affected |`log4j-api` +|Versions affected |`[2.13.1, 2.25.5) ∪ [2.26.0, 2.26.1) ∪ [3.0.0-alpha1, 3.0.0-beta2]` +|Versions fixed |`2.25.5` and `2.26.1` +|=== + +[#CVE-2026-49844-description] +=== Description + +Improper encoding of non-finite floating-point values during `MapMessage` JSON serialization in Apache Log4j API produces output that is not valid JSON. +This issue affects Apache Log4j API versions 2.13.1 through 2.25.4 and version 2.26.0. + +The fix for xref:#CVE-2026-34481[CVE-2026-34481] did not cover all code paths: when a `MapMessage` contains a non-finite IEEE 754 value (`NaN`, `Infinity`, or `-Infinity`), `MapMessage.asJson()` emits the corresponding bare token. +RFC 8259 does not permit these tokens, so a conformant parser rejects the resulting document. + +The defect is reachable only when both of the following conditions hold: + +* The application uses the +https://logging.apache.org/log4j/2.x/manual/json-template-layout.html#event-template-resolver-message[`message` resolver] +of `JsonTemplateLayout`, or any other layout that relies on `MapMessage.asJson()` or `MapMessage.getFormattedMessage(new String[] {"JSON"})`. +* The application logs a `MapMessage` that contains an attacker-controlled floating-point value. + +An attacker who can supply a non-finite value can cause the affected layout to emit malformed JSON, which may corrupt the enclosing log record or disrupt downstream log ingestion and parsing. + +[#CVE-2026-49844-remediation] +=== Remediation + +Users are advised to upgrade to Apache Log4j API version `2.25.5` or `2.26.1`, both of which emit RFC 8259-compliant JSON for non-finite values. + +[#CVE-2026-49844-credits] +=== Credits + +This issue was discovered by Himanshu Anand. + +[#CVE-2026-49844-references] +=== References +* {cve-url-prefix}/CVE-2026-49844[CVE-2026-49844] +* https://github.com/apache/logging-log4j2/pull/4163[Pull request that fixes the issue] + [#CVE-2026-40023] == {cve-url-prefix}/CVE-2026-40023[CVE-2026-40023] @@ -132,13 +177,16 @@ This may cause downstream log processing systems to reject or fail to index affe An attacker can exploit this issue only if both of the following conditions are met: * The application uses `JsonTemplateLayout`. -* The application logs a `MapMessage` containing an attacker-controlled floating-point value. +* The application logs a `MapMessage`, or logs an object directly (e.g., via `Logger.info(Object)`, which wraps it in an `ObjectMessage`), where the message contains an attacker-controlled floating-point value. [#CVE-2026-34481-remediation] === Remediation Users are advised to upgrade to Apache Log4j JSON Template Layout version `2.25.4`, which corrects this issue. +NOTE: The fix released in version `2.25.4` did not cover all affected code paths. +xref:#CVE-2026-49844[CVE-2026-49844] was assigned to the remaining issue, which concerns the `MapMessage.asJson()` serialization in Apache Log4j API and is fixed in versions `2.25.5` and `2.26.1`. + [#CVE-2026-34481-credits] === Credits diff --git a/src/site/static/cyclonedx/vdr.xml b/src/site/static/cyclonedx/vdr.xml index f7f0739a..861e5d77 100644 --- a/src/site/static/cyclonedx/vdr.xml +++ b/src/site/static/cyclonedx/vdr.xml @@ -40,11 +40,11 @@ - 2026-04-10T11:53:17Z + 2026-07-10T20:53:31Z Apache Logging Services https://logging.apache.org @@ -62,6 +62,12 @@ Log4cxx pkg:conan/log4cxx + + org.apache.logging.log4j + log4j-api + cpe:2.3:a:apache:log4j_api:*:*:*:*:*:*:*:* + pkg:maven/org.apache.logging.log4j/log4j-api?type=jar + org.apache.logging.log4j log4j-core @@ -89,6 +95,71 @@ + + CVE-2026-49844 + + NVD + https://nvd.nist.gov/vuln/detail/CVE-2026-49844 + + + + + The Apache Software Foundation + + + + 6.3 + medium + CVSSv4 + AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N + + + + 116 + + + + 2026-07-10T20:53:31Z + 2026-07-10T20:53:31Z + 2026-07-10T20:53:31Z + + + + Himanshu Anand + + + + + + log4j-api + + + =2.13.1|<2.25.5]]> + + + =2.26.0|<2.26.1]]> + + + =3.0.0-alpha1|<=3.0.0-beta2]]> + + + + + + CVE-2026-40023 @@ -235,11 +306,14 @@ This may cause downstream log processing systems to reject or fail to index affe An attacker can exploit this issue only if both of the following conditions are met: * The application uses `JsonTemplateLayout`. -* The application logs a `MapMessage` containing an attacker-controlled floating-point value.]]> - +* The application logs a `MapMessage`, or logs an object directly (e.g., via `Logger.info(Object)`, which wraps it in an `ObjectMessage`), where the message contains an attacker-controlled floating-point value.]]> + 2026-04-10T11:53:17Z 2026-04-10T11:53:17Z - 2026-04-10T11:53:17Z + 2026-07-10T20:53:31Z