OPENSUSE-SU-2026:20705-1
Vulnerability from csaf_opensuse - Published: 2026-05-07 10:19 - Updated: 2026-05-07 10:19Summary
Security update for log4cxx
Severity
Moderate
Notes
Title of the patch: Security update for log4cxx
Description of the patch: This update for log4cxx fixes the following issues:
Changes in log4cxx:
- update to 1.7.0 (bsc#1261994, CVE-2026-40023):
* Non-ascii characters incorrectly encoded in JSON output [#615]
* XML output could contain characters not allowed by the XML 1.0
specification
* An XML configuration file with recursive references caused
program termination [#605]
* Possible undefined behavior during a configuration change
* Message loss when the calculation of a logged value also logs
* ODBCAppender prepared statement value buffers had incorrect
lifetimes [#581]
- update to 1.6.0:
* Configuration ${varname} values can be set programatically prior
to loading a configuration file (see com/foo/config4.cpp) [#520]
* The current executable's file name and its components are available
for use in a configuration file and the LOG4CXX_CONFIGURATION
environment variable (see log4cxx::spi::Configurator::properties).
[#520]
* Console output (Log4cxx internal logging and BasicConfigurator)
use a color per message level by default [#529]
* New logging macros that defer binary-to-text conversion until
used in AsyncAppender's background thread
* A simplified way to attach an AsyncAppender to a logger using
a configuration file [#550]
Patchnames: openSUSE-Leap-16.0-packagehub-235
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.3 (Medium)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
References
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for log4cxx",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for log4cxx fixes the following issues:\n\nChanges in log4cxx:\n\n- update to 1.7.0 (bsc#1261994, CVE-2026-40023):\n * Non-ascii characters incorrectly encoded in JSON output [#615]\n * XML output could contain characters not allowed by the XML 1.0\n specification\n * An XML configuration file with recursive references caused\n program termination [#605]\n * Possible undefined behavior during a configuration change\n * Message loss when the calculation of a logged value also logs\n * ODBCAppender prepared statement value buffers had incorrect\n lifetimes [#581]\n\n- update to 1.6.0:\n * Configuration ${varname} values can be set programatically prior\n to loading a configuration file (see com/foo/config4.cpp) [#520]\n * The current executable\u0027s file name and its components are available\n for use in a configuration file and the LOG4CXX_CONFIGURATION\n environment variable (see log4cxx::spi::Configurator::properties).\n [#520]\n * Console output (Log4cxx internal logging and BasicConfigurator)\n use a color per message level by default [#529]\n * New logging macros that defer binary-to-text conversion until\n used in AsyncAppender\u0027s background thread\n * A simplified way to attach an AsyncAppender to a logger using\n a configuration file [#550]\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Leap-16.0-packagehub-235",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_20705-1.json"
},
{
"category": "self",
"summary": "SUSE Bug 1261994",
"url": "https://bugzilla.suse.com/1261994"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-40023 page",
"url": "https://www.suse.com/security/cve/CVE-2026-40023/"
}
],
"title": "Security update for log4cxx",
"tracking": {
"current_release_date": "2026-05-07T10:19:52Z",
"generator": {
"date": "2026-05-07T10:19:52Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:20705-1",
"initial_release_date": "2026-05-07T10:19:52Z",
"revision_history": [
{
"date": "2026-05-07T10:19:52Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "liblog4cxx-devel-1.7.0-bp160.1.1.aarch64",
"product": {
"name": "liblog4cxx-devel-1.7.0-bp160.1.1.aarch64",
"product_id": "liblog4cxx-devel-1.7.0-bp160.1.1.aarch64"
}
},
{
"category": "product_version",
"name": "liblog4cxx15-1.7.0-bp160.1.1.aarch64",
"product": {
"name": "liblog4cxx15-1.7.0-bp160.1.1.aarch64",
"product_id": "liblog4cxx15-1.7.0-bp160.1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "liblog4cxx-devel-1.7.0-bp160.1.1.ppc64le",
"product": {
"name": "liblog4cxx-devel-1.7.0-bp160.1.1.ppc64le",
"product_id": "liblog4cxx-devel-1.7.0-bp160.1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "liblog4cxx15-1.7.0-bp160.1.1.ppc64le",
"product": {
"name": "liblog4cxx15-1.7.0-bp160.1.1.ppc64le",
"product_id": "liblog4cxx15-1.7.0-bp160.1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "liblog4cxx-devel-1.7.0-bp160.1.1.s390x",
"product": {
"name": "liblog4cxx-devel-1.7.0-bp160.1.1.s390x",
"product_id": "liblog4cxx-devel-1.7.0-bp160.1.1.s390x"
}
},
{
"category": "product_version",
"name": "liblog4cxx15-1.7.0-bp160.1.1.s390x",
"product": {
"name": "liblog4cxx15-1.7.0-bp160.1.1.s390x",
"product_id": "liblog4cxx15-1.7.0-bp160.1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "liblog4cxx-devel-1.7.0-bp160.1.1.x86_64",
"product": {
"name": "liblog4cxx-devel-1.7.0-bp160.1.1.x86_64",
"product_id": "liblog4cxx-devel-1.7.0-bp160.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "liblog4cxx15-1.7.0-bp160.1.1.x86_64",
"product": {
"name": "liblog4cxx15-1.7.0-bp160.1.1.x86_64",
"product_id": "liblog4cxx15-1.7.0-bp160.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 16.0",
"product": {
"name": "openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "liblog4cxx-devel-1.7.0-bp160.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:liblog4cxx-devel-1.7.0-bp160.1.1.aarch64"
},
"product_reference": "liblog4cxx-devel-1.7.0-bp160.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "liblog4cxx-devel-1.7.0-bp160.1.1.ppc64le as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:liblog4cxx-devel-1.7.0-bp160.1.1.ppc64le"
},
"product_reference": "liblog4cxx-devel-1.7.0-bp160.1.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "liblog4cxx-devel-1.7.0-bp160.1.1.s390x as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:liblog4cxx-devel-1.7.0-bp160.1.1.s390x"
},
"product_reference": "liblog4cxx-devel-1.7.0-bp160.1.1.s390x",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "liblog4cxx-devel-1.7.0-bp160.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:liblog4cxx-devel-1.7.0-bp160.1.1.x86_64"
},
"product_reference": "liblog4cxx-devel-1.7.0-bp160.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "liblog4cxx15-1.7.0-bp160.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:liblog4cxx15-1.7.0-bp160.1.1.aarch64"
},
"product_reference": "liblog4cxx15-1.7.0-bp160.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "liblog4cxx15-1.7.0-bp160.1.1.ppc64le as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:liblog4cxx15-1.7.0-bp160.1.1.ppc64le"
},
"product_reference": "liblog4cxx15-1.7.0-bp160.1.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "liblog4cxx15-1.7.0-bp160.1.1.s390x as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:liblog4cxx15-1.7.0-bp160.1.1.s390x"
},
"product_reference": "liblog4cxx15-1.7.0-bp160.1.1.s390x",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "liblog4cxx15-1.7.0-bp160.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:liblog4cxx15-1.7.0-bp160.1.1.x86_64"
},
"product_reference": "liblog4cxx15-1.7.0-bp160.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-40023",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-40023"
}
],
"notes": [
{
"category": "general",
"text": "Apache Log4cxx\u0027s XMLLayout https://logging.apache.org/log4cxx/1.7.0/classlog4cxx_1_1xml_1_1XMLLayout.html , in versions before 1.7.0, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets in log messages, NDC, and MDC property keys and values, producing invalid XML output. Conforming XML parsers must reject such documents with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records.\n\nAn attacker who can influence logged data can exploit this to suppress individual log records, impairing audit trails and detection of malicious activity.\n\nUsers are advised to upgrade to Apache Log4cxx 1.7.0, which fixes this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:liblog4cxx-devel-1.7.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:liblog4cxx-devel-1.7.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:liblog4cxx-devel-1.7.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:liblog4cxx-devel-1.7.0-bp160.1.1.x86_64",
"openSUSE Leap 16.0:liblog4cxx15-1.7.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:liblog4cxx15-1.7.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:liblog4cxx15-1.7.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:liblog4cxx15-1.7.0-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-40023",
"url": "https://www.suse.com/security/cve/CVE-2026-40023"
},
{
"category": "external",
"summary": "SUSE Bug 1261994 for CVE-2026-40023",
"url": "https://bugzilla.suse.com/1261994"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:liblog4cxx-devel-1.7.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:liblog4cxx-devel-1.7.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:liblog4cxx-devel-1.7.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:liblog4cxx-devel-1.7.0-bp160.1.1.x86_64",
"openSUSE Leap 16.0:liblog4cxx15-1.7.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:liblog4cxx15-1.7.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:liblog4cxx15-1.7.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:liblog4cxx15-1.7.0-bp160.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:liblog4cxx-devel-1.7.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:liblog4cxx-devel-1.7.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:liblog4cxx-devel-1.7.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:liblog4cxx-devel-1.7.0-bp160.1.1.x86_64",
"openSUSE Leap 16.0:liblog4cxx15-1.7.0-bp160.1.1.aarch64",
"openSUSE Leap 16.0:liblog4cxx15-1.7.0-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:liblog4cxx15-1.7.0-bp160.1.1.s390x",
"openSUSE Leap 16.0:liblog4cxx15-1.7.0-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-07T10:19:52Z",
"details": "moderate"
}
],
"title": "CVE-2026-40023"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…