UBUNTU-CVE-2026-34478

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2026-34478

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-34478.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-34478

Upstream

CVE-2026-34478

Published

2026-04-10T16:16:00Z

Modified

2026-05-20T16:25:33.911931411Z

Severity

6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N CVSS Calculator
7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

Apache Log4j Core's Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout , in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes. Two distinct issues affect users of stream-based syslog services who configure Rfc5424Layout directly: * The newLineEscape attribute was silently renamed, causing newline escaping to stop working for users of TCP framing (RFC 6587), exposing them to CRLF injection in log output. * The useTlsMessageFormat attribute was silently renamed, causing users of TLS framing (RFC 5425) to be silently downgraded to unframed TCP (RFC 6587), without newline escaping. Users of the SyslogAppender are not affected, as its configuration attributes were not modified. Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.

References

Affected packages

Ubuntu:18.04:LTS

apache-log4j1.2

Package

Name: apache-log4j1.2
Purl: pkg:deb/ubuntu/apache-log4j1.2?arch=source&distro=bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.2.17-7ubuntu2

1.2.17-8

1.2.17-8+deb10u1build0.18.04.1

1.2.17-8+deb10u1ubuntu0.1

1.2.17-8+deb10u1ubuntu0.2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "liblog4j1.2-java",
            "binary_version": "1.2.17-8+deb10u1ubuntu0.2"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-34478.json"

apache-log4j2

Package

Name: apache-log4j2
Purl: pkg:deb/ubuntu/apache-log4j2?arch=source&distro=bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.8.2-1

2.8.2-2

2.10.0-1

2.10.0-2

2.10.0-2ubuntu0.1

2.12.4-0ubuntu0.1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "liblog4j2-java",
            "binary_version": "2.12.4-0ubuntu0.1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-34478.json"

Ubuntu:20.04:LTS

apache-log4j1.2

Package

Name: apache-log4j1.2
Purl: pkg:deb/ubuntu/apache-log4j1.2?arch=source&distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.2.17-8

1.2.17-9

1.2.17-9ubuntu0.1

1.2.17-9ubuntu0.2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "liblog4j1.2-java",
            "binary_version": "1.2.17-9ubuntu0.2"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-34478.json"

apache-log4j2

Package

Name: apache-log4j2
Purl: pkg:deb/ubuntu/apache-log4j2?arch=source&distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.11.1-2

2.11.2-1

2.15.0-0.20.04.1

2.16.0-0.20.04.1

2.17.0-0.20.04.1

2.17.1-0.20.04.1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "liblog4j2-java",
            "binary_version": "2.17.1-0.20.04.1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-34478.json"

Ubuntu:22.04:LTS

apache-log4j1.2

Package

Name: apache-log4j1.2
Purl: pkg:deb/ubuntu/apache-log4j1.2?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.2.17-10

1.2.17-11

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "liblog4j1.2-java",
            "binary_version": "1.2.17-11"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-34478.json"

apache-log4j2

Package

Name: apache-log4j2
Purl: pkg:deb/ubuntu/apache-log4j2?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.13.3-1

2.15.0-1

2.16.0-1

2.17.0-1

2.17.1-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "liblog4j2-java",
            "binary_version": "2.17.1-1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-34478.json"

Ubuntu:24.04:LTS

apache-log4j1.2

Package

Name: apache-log4j1.2
Purl: pkg:deb/ubuntu/apache-log4j1.2?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.2.17-11

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "liblog4j1.2-java",
            "binary_version": "1.2.17-11"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-34478.json"

apache-log4j2

Package

Name: apache-log4j2
Purl: pkg:deb/ubuntu/apache-log4j2?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.19.0-2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "liblog4j2-java",
            "binary_version": "2.19.0-2"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-34478.json"

Ubuntu:25.10

apache-log4j1.2

Package

Name: apache-log4j1.2
Purl: pkg:deb/ubuntu/apache-log4j1.2?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.2.17-11

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "liblog4j1.2-java",
            "binary_version": "1.2.17-11"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-34478.json"

apache-log4j2

Package

Name: apache-log4j2
Purl: pkg:deb/ubuntu/apache-log4j2?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.19.0-2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "liblog4j2-java",
            "binary_version": "2.19.0-2"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-34478.json"

Ubuntu:26.04:LTS

apache-log4j1.2

Package

Name: apache-log4j1.2
Purl: pkg:deb/ubuntu/apache-log4j1.2?arch=source&distro=resolute

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.2.17-11

1.2.17-11build1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "liblog4j1.2-java",
            "binary_version": "1.2.17-11build1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-34478.json"

apache-log4j2

Package

Name: apache-log4j2
Purl: pkg:deb/ubuntu/apache-log4j2?arch=source&distro=resolute

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.19.0-2

2.19.0-2build1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "liblog4j2-java",
            "binary_version": "2.19.0-2build1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-34478.json"

Ubuntu:Pro:14.04:LTS

apache-log4j1.2

Package

Name: apache-log4j1.2
Purl: pkg:deb/ubuntu/apache-log4j1.2?arch=source&distro=esm-infra-legacy%2Ftrusty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.2.17-3ubuntu1

1.2.17-4ubuntu1

1.2.17-4ubuntu2

1.2.17-4ubuntu3

1.2.17-4ubuntu3+esm1

1.2.17-4ubuntu3+esm2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "liblog4j1.2-java",
            "binary_version": "1.2.17-4ubuntu3+esm2"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-34478.json"

Ubuntu:Pro:16.04:LTS

apache-log4j2

Package

Name: apache-log4j2
Purl: pkg:deb/ubuntu/apache-log4j2?arch=source&distro=esm-apps%2Fxenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.2-1

2.4-1

2.4-2

2.4-2ubuntu0.1~esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "liblog4j2-java",
            "binary_version": "2.4-2ubuntu0.1~esm1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-34478.json"

apache-log4j1.2

Package

Name: apache-log4j1.2
Purl: pkg:deb/ubuntu/apache-log4j1.2?arch=source&distro=esm-apps%2Fxenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.2.17-6ubuntu1

1.2.17-7ubuntu1

1.2.17-7ubuntu1+esm1

1.2.17-7ubuntu1+esm2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "liblog4j1.2-java",
            "binary_version": "1.2.17-7ubuntu1+esm2"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-34478.json"