Security update for log4j

Announcement ID:	SUSE-SU-2026:1843-1
Release Date:	2026-05-13T15:24:58Z
Rating:	moderate
References:	bsc#1262050 bsc#1262091 bsc#1262092 bsc#1262093
Cross-References:	CVE-2026-34477 CVE-2026-34479 CVE-2026-34480 CVE-2026-34481
CVSS scores:	CVE-2026-34477 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N CVE-2026-34477 ( NVD ): 6.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVE-2026-34477 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2026-34479 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2026-34479 ( NVD ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVE-2026-34479 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2026-34480 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L CVE-2026-34480 ( NVD ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVE-2026-34480 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2026-34481 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2026-34481 ( NVD ): 6.3 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVE-2026-34481 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Affected Products:	Basesystem Module 15-SP7 SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise Real Time 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7

An update that solves four vulnerabilities can now be installed.

Description:

This update for log4j fixes the following issues:

• CVE-2026-34477: TLS connections vulnerable to interception due to incomplete hostname verification configuration checks (bsc#1262050).
• CVE-2026-34479: silent log event loss due to improper XML escaping in Log4j1XmlLayout (bsc#1262091).
• CVE-2026-34480: silent log event loss due to improper XML escaping in XmlLayout (bsc#1262092).
• CVE-2026-34481: silent log event loss due to improper serialization of non-finite floating-point values in JsonTemplateLayout (bsc#1262093).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Basesystem Module 15-SP7
  zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP7-2026-1843=1

Package List:

• Basesystem Module 15-SP7 (noarch)
  • log4j-jcl-2.20.0-150200.4.33.1
  • log4j-javadoc-2.20.0-150200.4.33.1
  • log4j-slf4j-2.20.0-150200.4.33.1
  • log4j-2.20.0-150200.4.33.1

References:

• https://www.suse.com/security/cve/CVE-2026-34477.html
• https://www.suse.com/security/cve/CVE-2026-34479.html
• https://www.suse.com/security/cve/CVE-2026-34480.html
• https://www.suse.com/security/cve/CVE-2026-34481.html
• https://bugzilla.suse.com/show_bug.cgi?id=1262050
• https://bugzilla.suse.com/show_bug.cgi?id=1262091
• https://bugzilla.suse.com/show_bug.cgi?id=1262092
• https://bugzilla.suse.com/show_bug.cgi?id=1262093