Security update for log4j SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2026:0254-1 Final 1 1 2026-01-22T16:08:26Z current 2026-01-22T16:08:26Z 2026-01-22T16:08:26Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for log4j This update for log4j fixes the following issues: Security fixes: - CVE-2025-68161: Fixed absent TLS hostname verification that may allow a man-in-the-middle attack (bsc#1255427) Other fixes: - Upgrade to 2.18.0 * Added + Add support for Jakarta Mail API in the SMTP appender. + Add support for custom Log4j 1.x levels. + Add support for adding and retrieving appenders in Log4j 1.x bridge. + Add support for custom LMAX disruptor WaitStrategy configuration. + Add support for Apache Extras' RollingFileAppender in Log4j 1.x bridge. + Add MutableThreadContextMapFilter. + Add support for 24 colors in highlighting * Changed + Improves ServiceLoader support on servlet containers. + Make the default disruptor WaitStrategy used by Async Loggers garbage-free. + Do not throw UnsupportedOperationException when JUL ApiLogger::setLevel is called. + Support Spring 2.6.x. + Move perf tests to log4j-core-its + Upgrade the Flume Appender to Flume 1.10.0 * Fixed + Fix minor typo #792. + Improve validation and reporting of configuration errors. + Allow enterprise id to be an OID fragment. + Fix problem with non-uppercase custom levels. + Avoid ClassCastException in JeroMqManager with custom LoggerContextFactory #791. + DirectWriteRolloverStrategy should use the current time when creating files. + Fixes the syslog appender in Log4j 1.x bridge, when used with a custom layout. + log4j-1.2-api 2.17.2 throws NullPointerException while removing appender with name as null. + Improve JsonTemplateLayout performance. + Fix resolution of non-Log4j properties. + Fixes Spring Boot logging system registration in a multi-application environment. + JAR file containing Log4j configuration isn’t closed. + Properties defined in configuration using a value attribute (as opposed to element) are read correctly. + Syslog appender lacks the SocketOptions setting. + Log4j 1.2 bridge should not wrap components unnecessarily. + Update 3rd party dependencies for 2.18.0. + SizeBasedTriggeringPolicy would fail to rename files properly when integer pattern contained a leading zero. + Fixes default SslConfiguration, when a custom keystore is used. + Fixes appender concurrency problems in Log4j 1.x bridge. + Fix and test for race condition in FileUtils.mkdir(). + LocalizedMessage logs misleading errors on the console. + Add missing message parameterization in RegexFilter. + Add the missing context stack to JsonLayout template. + HttpWatcher did not pass credentials when polling. + UrlConnectionFactory.createConnection now accepts an AuthorizationProvider as a parameter. + The DirectWriteRolloverStrategy was not detecting the correct index to use during startup. + Async Loggers were including the location information by default. + ClassArbiter’s newBuilder method referenced the wrong class. + Don’t use Paths.get() to avoid circular file systems. + Fix parsing error, when XInclude is disabled. + Fix LevelRangeFilterBuilder to align with log4j1’s behavior. + Fixes problem with wrong ANSI escape code for bright colors + Log4j 1.2 bridge should generate Log4j 2.x messages based on the parameter runtime type. - Update to 2.19.0 * Added + Add implementation of SLF4J2 fluent API. + Add support for SLF4J2 stack-valued MDC. * Changed + Add getExplicitLevel method to LoggerConfig. + Allow PropertySources to be added. + Allow Plugins to be injected with the LoggerContext reference. * Fixed + Add correct manifest entries for OSGi to log4j-jcl + Improve support for passwordless keystores. + SystemPropertyArbiter was assigning the value as the name. + Make JsonTemplateLayout stack trace truncation operate for each label block. + Fix recursion between Log4j 1.2 LogManager and Category. + Fix resolution of properties not starting with log4j2.. + Logger$PrivateConfig.filter(Level, Marker, String) was allocating empty varargs array. + Allows a space separated list of style specifiers in the %style pattern for consistency with %highlight. + Fix NPE in log4j-to-jul in the case the root logger level is null. + Fix RollingRandomAccessFileAppender with DirectWriteRolloverStrategy can’t create the first log file of different directory. + Generate new SSL certs for testing. + Fix ServiceLoaderUtil behavior in the presence of a SecurityManager. + Fix regression in Rfc5424Layout default values. + Harden InstantFormatter against delegate failures. + Add async support to Log4jServletFilter. * Removed + Removed build page in favor of a single build instructions file. + Remove SLF4J 1.8.x binding. - Update to 2.20.0 * Added + Add support for timezones in RollingFileAppender date pattern + Add LogEvent timestamp to ProducerRecord in KafkaAppender + Add PatternLayout support for abbreviating the name of all logger components except the 2 rightmost + Removes internal field that leaked into public API. + Add a LogBuilder#logAndGet() method to emulate the Logger#traceEntry method. * Changed + Simplify site generation + Switch the issue tracker from JIRA to GitHub Issues + Remove liquibase-log4j2 maven module + Fix order of stacktrace elements, that causes cache misses in ThrowableProxyHelper. + Switch from com.sun.mail to Eclipse Angus. + Add Log4j2 Core as default runtime dependency of the SLF4J2-to-Log4j2 API bridge. + Replace maven-changes-plugin with a custom changelog implementation + Moved log4j-api and log4j-core artifacts with classifier tests to log4j-api-test and log4j-core-test respectively. * Deprecated + Deprecate support for package scanning for plugins * Fixed + Copy programmatically supplied location even if includeLocation='false'. + Eliminate status logger warning, when disableAnsi or noConsoleNoAnsi is used the style and highlight patterns. + Fix detection of location requirements in RewriteAppender. + Replace regex with manual code to escape characters in Rfc5424Layout. + Fix java.sql.Time object formatting in MapMessage + Fix previous fire time computation in CronTriggeringPolicy + Correct default to not include location for AsyncRootLoggers + Make StatusConsoleListener use SimpleLogger internally. + Lazily evaluate the level of a SLF4J LogEventBuilder + Fixes priority of Legacy system properties, which are now back to having higher priority than Environment variables. + Protects ServiceLoaderUtil from unchecked ServiceLoader exceptions. + Fix Configurator#setLevel for internal classes + Fix level propagation in Log4jBridgeHandler + Disable OsgiServiceLocator if not running in OSGI container. + When using a Date Lookup in the file pattern the current time should be used. + Fixed LogBuilder filtering in the presence of global filters. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2026-254,SUSE-SLE-Module-Basesystem-15-SP7-2026-254,openSUSE-SLE-15.6-2026-254 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2026/suse-su-20260254-1/ Link for SUSE-SU-2026:0254-1 https://lists.suse.com/pipermail/sle-security-updates/2026-January/023894.html E-Mail link for SUSE-SU-2026:0254-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1255427 SUSE Bug 1255427 https://www.suse.com/security/cve/CVE-2025-68161/ SUSE CVE CVE-2025-68161 page SUSE Linux Enterprise Module for Basesystem 15 SP7 openSUSE Leap 15.6 log4j-2.20.0-150200.4.30.1 log4j-bom-2.20.0-150200.4.30.1 log4j-javadoc-2.20.0-150200.4.30.1 log4j-jcl-2.20.0-150200.4.30.1 log4j-slf4j-2.20.0-150200.4.30.1 log4j-2.20.0-150200.4.30.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 log4j-javadoc-2.20.0-150200.4.30.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 log4j-jcl-2.20.0-150200.4.30.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 log4j-slf4j-2.20.0-150200.4.30.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 log4j-2.20.0-150200.4.30.1 as a component of openSUSE Leap 15.6 log4j-javadoc-2.20.0-150200.4.30.1 as a component of openSUSE Leap 15.6 log4j-jcl-2.20.0-150200.4.30.1 as a component of openSUSE Leap 15.6 log4j-slf4j-2.20.0-150200.4.30.1 as a component of openSUSE Leap 15.6 The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName configuration attribute or the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property is set to true. This issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following conditions: * The attacker is able to intercept or redirect network traffic between the client and the log receiver. * The attacker can present a server certificate issued by a certification authority trusted by the Socket Appender's configured trust store (or by the default Java trust store if no custom trust store is configured). Users are advised to upgrade to Apache Log4j Core version 2.25.3, which addresses this issue. As an alternative mitigation, the Socket Appender may be configured to use a private or restricted trust root to limit the set of trusted certificates. CVE-2025-68161 SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-2.20.0-150200.4.30.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-javadoc-2.20.0-150200.4.30.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-jcl-2.20.0-150200.4.30.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-slf4j-2.20.0-150200.4.30.1 openSUSE Leap 15.6:log4j-2.20.0-150200.4.30.1 openSUSE Leap 15.6:log4j-javadoc-2.20.0-150200.4.30.1 openSUSE Leap 15.6:log4j-jcl-2.20.0-150200.4.30.1 openSUSE Leap 15.6:log4j-slf4j-2.20.0-150200.4.30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260254-1/ https://www.suse.com/security/cve/CVE-2025-68161.html CVE-2025-68161 https://bugzilla.suse.com/1255427 SUSE Bug 1255427