(pulsar) branch branch-4.0 updated: [fix][sec] Upgrade log4j to 2.25.4 to address CVE-2026-34477, CVE-2026-34478, CVE-2026-34480, CVE-2026-34481

mmerli Wed, 15 Apr 2026 09:45:48 -0700

This is an automated email from the ASF dual-hosted git repository.

mmerli pushed a commit to branch branch-4.0
in repository https://gitbox.apache.org/repos/asf/pulsar.git



The following commit(s) were added to refs/heads/branch-4.0 by this push:
     new 8b0c1a3eee4 [fix][sec] Upgrade log4j to 2.25.4 to address 
CVE-2026-34477, CVE-2026-34478, CVE-2026-34480, CVE-2026-34481
8b0c1a3eee4 is described below

commit 8b0c1a3eee46a39d7158bcd48cbbfbf6c8c2796e
Author: Matteo Merli <[email protected]>
AuthorDate: Wed Apr 15 09:18:24 2026 -0700

    [fix][sec] Upgrade log4j to 2.25.4 to address CVE-2026-34477, 
CVE-2026-34478, CVE-2026-34480, CVE-2026-34481
    
    Upgrades org.apache.logging.log4j:* from 2.25.3 to 2.25.4 to fix:
    - CVE-2026-34477: verifyHostName attribute silently ignored in TLS 
configuration
    - CVE-2026-34478: log injection in Rfc5424Layout due to silent 
configuration incompatibility
    - CVE-2026-34480: XmlLayout fails to sanitize characters forbidden by XML 
1.0
    - CVE-2026-34481: JsonTemplateLayout produces invalid JSON for non-finite 
floats
    
    (cherry picked from commit dfb06f183c312b849fce42d729c6b36181239490)
---
 buildtools/pom.xml                               |  2 +-
 distribution/server/src/assemble/LICENSE.bin.txt | 10 +++++-----
 distribution/shell/src/assemble/LICENSE.bin.txt  |  8 ++++----
 pom.xml                                          |  2 +-
 4 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/buildtools/pom.xml b/buildtools/pom.xml
index de3ff4b8008..2d378b86430 100644
--- a/buildtools/pom.xml
+++ b/buildtools/pom.xml
@@ -48,7 +48,7 @@
     <maven.compiler.target>1.8</maven.compiler.target>
     <maven.compiler.release>8</maven.compiler.release>
     <surefire.version>3.1.0</surefire.version>
-    <log4j2.version>2.25.3</log4j2.version>
+    <log4j2.version>2.25.4</log4j2.version>
     <slf4j.version>2.0.17</slf4j.version>
     <testng.version>7.7.1</testng.version>
     <commons-lang3.version>3.19.0</commons-lang3.version>
diff --git a/distribution/server/src/assemble/LICENSE.bin.txt 
b/distribution/server/src/assemble/LICENSE.bin.txt
index 7c0b464e1b2..450080822a8 100644
--- a/distribution/server/src/assemble/LICENSE.bin.txt
+++ b/distribution/server/src/assemble/LICENSE.bin.txt
@@ -348,11 +348,11 @@ The Apache Software License, Version 2.0
     - jakarta.validation-jakarta.validation-api-2.0.2.jar
     - javax.validation-validation-api-1.1.0.Final.jar
  * Log4J
-    - org.apache.logging.log4j-log4j-api-2.25.3.jar
-    - org.apache.logging.log4j-log4j-core-2.25.3.jar
-    - org.apache.logging.log4j-log4j-slf4j2-impl-2.25.3.jar
-    - org.apache.logging.log4j-log4j-web-2.25.3.jar
-    - org.apache.logging.log4j-log4j-layout-template-json-2.25.3.jar
+    - org.apache.logging.log4j-log4j-api-2.25.4.jar
+    - org.apache.logging.log4j-log4j-core-2.25.4.jar
+    - org.apache.logging.log4j-log4j-slf4j2-impl-2.25.4.jar
+    - org.apache.logging.log4j-log4j-web-2.25.4.jar
+    - org.apache.logging.log4j-log4j-layout-template-json-2.25.4.jar
  * Java Native Access JNA
     - net.java.dev.jna-jna-jpms-5.12.1.jar
     - net.java.dev.jna-jna-platform-jpms-5.12.1.jar
diff --git a/distribution/shell/src/assemble/LICENSE.bin.txt 
b/distribution/shell/src/assemble/LICENSE.bin.txt
index 4e2820a57fd..31afc9b2ed6 100644
--- a/distribution/shell/src/assemble/LICENSE.bin.txt
+++ b/distribution/shell/src/assemble/LICENSE.bin.txt
@@ -381,10 +381,10 @@ The Apache Software License, Version 2.0
     - simpleclient_tracer_otel-0.16.0.jar
     - simpleclient_tracer_otel_agent-0.16.0.jar
  * Log4J
-    - log4j-api-2.25.3.jar
-    - log4j-core-2.25.3.jar
-    - log4j-slf4j2-impl-2.25.3.jar
-    - log4j-web-2.25.3.jar
+    - log4j-api-2.25.4.jar
+    - log4j-core-2.25.4.jar
+    - log4j-slf4j2-impl-2.25.4.jar
+    - log4j-web-2.25.4.jar
  * OpenTelemetry
     - opentelemetry-api-1.56.0.jar
     - opentelemetry-api-incubator-1.56.0-alpha.jar
diff --git a/pom.xml b/pom.xml
index 4a858b0a290..a28dbec1cd8 100644
--- a/pom.xml
+++ b/pom.xml
@@ -195,7 +195,7 @@ flexible messaging model and an intuitive client 
API.</description>
     <rocksdb.version>7.9.2</rocksdb.version>
     <slf4j.version>2.0.17</slf4j.version>
     <commons.collections4.version>4.5.0</commons.collections4.version>
-    <log4j2.version>2.25.3</log4j2.version>
+    <log4j2.version>2.25.4</log4j2.version>
     <!-- bouncycastle dependencies aren't necessarily aligned -->
     
<bouncycastle.bcprov-jdk18on.version>1.78.1</bouncycastle.bcprov-jdk18on.version>
     
<bouncycastle.bcpkix-jdk18on.version>1.81</bouncycastle.bcpkix-jdk18on.version>

(pulsar) branch branch-4.0 updated: [fix][sec] Upgrade log4j to 2.25.4 to address CVE-2026-34477, CVE-2026-34478, CVE-2026-34480, CVE-2026-34481

Reply via email to