From eaca802067c914b6b5c08e890c5f066e2f9d1a64 Mon Sep 17 00:00:00 2001 From: "Piotr P. Karwasz" Date: Thu, 9 Jul 2026 21:43:24 +0200 Subject: [PATCH 1/2] Add CVE-2026-49844 and update CVE-2026-34481 CVE-2026-49844 covers the `MapMessage.asJson()` code path in Log4j API that the CVE-2026-34481 fix in JSON Template Layout 2.25.4 did not reach. It affects `log4j-api` `[2.13.1, 2.25.5)`, `[2.26.0, 2.26.1)` and `[3.0.0-alpha1, 3.0.0-beta2]`, and is fixed in 2.25.5 and 2.26.1. CVE-2026-34481 is amended to note that an `ObjectMessage`, e.g. one produced by `Logger.info(Object)`, is also affected, and to point at the follow-up CVE. Add a `log4j-api` dummy component to the VDR, bump the BOM version and refresh the affected `updated` elements. Assisted-By: Claude Opus 4.8 (1M context) --- .../modules/ROOT/pages/_vulnerabilities.adoc | 50 ++++++++++- src/site/static/cyclonedx/vdr.xml | 84 +++++++++++++++++-- 2 files changed, 128 insertions(+), 6 deletions(-) diff --git a/src/site/antora/modules/ROOT/pages/_vulnerabilities.adoc b/src/site/antora/modules/ROOT/pages/_vulnerabilities.adoc index b380adfe..7413c5de 100644 --- a/src/site/antora/modules/ROOT/pages/_vulnerabilities.adoc +++ b/src/site/antora/modules/ROOT/pages/_vulnerabilities.adoc @@ -29,6 +29,51 @@ Version ranges follow the https://github.com/package-url/vers-spec/blob/main/VER For brevity, mathematical interval notation is used, with the union operator (`∪`) to represent multiple ranges. ==== +[#CVE-2026-49844] +== {cve-url-prefix}/CVE-2026-49844[CVE-2026-49844] + +[cols="1h,5"] +|=== +|Summary |Improper serialization of non-finite floating-point values in `MapMessageJsonFormatter` +|CVSS 4.x Score & Vector |6.3 MEDIUM (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N) +|Components affected |`log4j-api` +|Versions affected |`[2.13.1, 2.25.5) ∪ [2.26.0, 2.26.1) ∪ [3.0.0-alpha1, 3.0.0-beta2]` +|Versions fixed |`2.25.5` and `2.26.1` +|=== + +[#CVE-2026-49844-description] +=== Description + +Improper encoding of non-finite floating-point values during `MapMessage` JSON serialization in Apache Log4j API produces output that is not valid JSON. +This issue affects Apache Log4j API versions 2.13.1 through 2.25.4 and version 2.26.0. + +The fix for xref:#CVE-2026-34481[CVE-2026-34481] did not cover all code paths: when a `MapMessage` contains a non-finite IEEE 754 value (`NaN`, `Infinity`, or `-Infinity`), `MapMessage.asJson()` emits the corresponding bare token. +RFC 8259 does not permit these tokens, so a conformant parser rejects the resulting document. + +The defect is reachable only when both of the following conditions hold: + +* The application uses the +https://logging.apache.org/log4j/2.x/manual/json-template-layout.html#event-template-resolver-message[`message` resolver] +of `JsonTemplateLayout`, or any other layout that relies on `MapMessage.asJson()` or `MapMessage.getFormattedMessage(new String[] {"JSON"})`. +* The application logs a `MapMessage` that contains an attacker-controlled floating-point value. + +An attacker who can supply a non-finite value can cause the affected layout to emit malformed JSON, which may corrupt the enclosing log record or disrupt downstream log ingestion and parsing. + +[#CVE-2026-49844-remediation] +=== Remediation + +Users are advised to upgrade to Apache Log4j API version `2.25.5` or `2.26.1`, both of which emit RFC 8259-compliant JSON for non-finite values. + +[#CVE-2026-49844-credits] +=== Credits + +This issue was discovered by Himanshu Anand. + +[#CVE-2026-49844-references] +=== References +* {cve-url-prefix}/CVE-2026-49844[CVE-2026-49844] +* https://github.com/apache/logging-log4j2/pull/4163[Pull request that fixes the issue] + [#CVE-2026-40023] == {cve-url-prefix}/CVE-2026-40023[CVE-2026-40023] @@ -132,13 +177,16 @@ This may cause downstream log processing systems to reject or fail to index affe An attacker can exploit this issue only if both of the following conditions are met: * The application uses `JsonTemplateLayout`. -* The application logs a `MapMessage` containing an attacker-controlled floating-point value. +* The application logs a `MapMessage`, or logs an object directly (e.g., via `Logger.info(Object)`, which wraps it in an `ObjectMessage`), where the message contains an attacker-controlled floating-point value. [#CVE-2026-34481-remediation] === Remediation Users are advised to upgrade to Apache Log4j JSON Template Layout version `2.25.4`, which corrects this issue. +NOTE: The fix released in version `2.25.4` did not cover all affected code paths. +xref:#CVE-2026-49844[CVE-2026-49844] was assigned to the remaining issue, which concerns the `MapMessage.asJson()` serialization in Apache Log4j API and is fixed in versions `2.25.5` and `2.26.1`. + [#CVE-2026-34481-credits] === Credits diff --git a/src/site/static/cyclonedx/vdr.xml b/src/site/static/cyclonedx/vdr.xml index f7f0739a..861e5d77 100644 --- a/src/site/static/cyclonedx/vdr.xml +++ b/src/site/static/cyclonedx/vdr.xml @@ -40,11 +40,11 @@ - 2026-04-10T11:53:17Z + 2026-07-10T20:53:31Z Apache Logging Services https://logging.apache.org @@ -62,6 +62,12 @@ Log4cxx pkg:conan/log4cxx + + org.apache.logging.log4j + log4j-api + cpe:2.3:a:apache:log4j_api:*:*:*:*:*:*:*:* + pkg:maven/org.apache.logging.log4j/log4j-api?type=jar + org.apache.logging.log4j log4j-core @@ -89,6 +95,71 @@ + + CVE-2026-49844 + + NVD + https://nvd.nist.gov/vuln/detail/CVE-2026-49844 + + + + + The Apache Software Foundation + + + + 6.3 + medium + CVSSv4 + AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N + + + + 116 + + + + 2026-07-10T20:53:31Z + 2026-07-10T20:53:31Z + 2026-07-10T20:53:31Z + + + + Himanshu Anand + + + + + + log4j-api + + + =2.13.1|<2.25.5]]> + + + =2.26.0|<2.26.1]]> + + + =3.0.0-alpha1|<=3.0.0-beta2]]> + + + + + + CVE-2026-40023 @@ -235,11 +306,14 @@ This may cause downstream log processing systems to reject or fail to index affe An attacker can exploit this issue only if both of the following conditions are met: * The application uses `JsonTemplateLayout`. -* The application logs a `MapMessage` containing an attacker-controlled floating-point value.]]> - +* The application logs a `MapMessage`, or logs an object directly (e.g., via `Logger.info(Object)`, which wraps it in an `ObjectMessage`), where the message contains an attacker-controlled floating-point value.]]> + 2026-04-10T11:53:17Z 2026-04-10T11:53:17Z - 2026-04-10T11:53:17Z + 2026-07-10T20:53:31Z From 370bdf3bfeed56845c9bfb9cf6fe59df70a04d6f Mon Sep 17 00:00:00 2001 From: "Piotr P. Karwasz" Date: Fri, 10 Jul 2026 23:08:41 +0200 Subject: [PATCH 2/2] fix: apply Copilot suggestion --- src/site/antora/modules/ROOT/pages/_vulnerabilities.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/site/antora/modules/ROOT/pages/_vulnerabilities.adoc b/src/site/antora/modules/ROOT/pages/_vulnerabilities.adoc index 7413c5de..06b9ac0a 100644 --- a/src/site/antora/modules/ROOT/pages/_vulnerabilities.adoc +++ b/src/site/antora/modules/ROOT/pages/_vulnerabilities.adoc @@ -34,7 +34,7 @@ For brevity, mathematical interval notation is used, with the union operator (` [cols="1h,5"] |=== -|Summary |Improper serialization of non-finite floating-point values in `MapMessageJsonFormatter` +|Summary |Improper serialization of non-finite floating-point values in `MapMessage.asJson()` |CVSS 4.x Score & Vector |6.3 MEDIUM (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N) |Components affected |`log4j-api` |Versions affected |`[2.13.1, 2.25.5) ∪ [2.26.0, 2.26.1) ∪ [3.0.0-alpha1, 3.0.0-beta2]`