<div class="container">
<h1>Security update for log4j</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2026:0254-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2026-01-22T16:08:29Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>moderate</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1255427">bsc#1255427</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2025-68161.html">CVE-2025-68161</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-68161</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">6.3</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-68161</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">5.4</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-68161</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">6.3</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-68161</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">4.8</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">Basesystem Module 15-SP7</li>
<li class="list-group-item">openSUSE Leap 15.6</li>
<li class="list-group-item">SUSE Linux Enterprise Desktop 15 SP7</li>
<li class="list-group-item">SUSE Linux Enterprise Real Time 15 SP7</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP7</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP7</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves one vulnerability can now be installed.</p>
<h2>Description:</h2>
<p>This update for log4j fixes the following issues:</p>
<p>Security fixes:</p>
<ul>
<li>CVE-2025-68161: Fixed absent TLS hostname verification
that may allow a man-in-the-middle attack (bsc#1255427)</li>
</ul>
<p>Other fixes:</p>
<ul>
<li>Upgrade to 2.18.0</li>
<li>Added<ul>
<li>Add support for Jakarta Mail API in the SMTP appender.</li>
<li>Add support for custom Log4j 1.x levels.</li>
<li>Add support for adding and retrieving appenders in Log4j 1.x
bridge.</li>
<li>Add support for custom LMAX disruptor WaitStrategy
configuration.</li>
<li>Add support for Apache Extras' RollingFileAppender in Log4j
1.x bridge.</li>
<li>Add MutableThreadContextMapFilter.</li>
<li>Add support for 24 colors in highlighting</li>
</ul>
</li>
<li>Changed<ul>
<li>Improves ServiceLoader support on servlet containers.</li>
<li>Make the default disruptor WaitStrategy used by Async Loggers
garbage-free.</li>
<li>Do not throw UnsupportedOperationException when JUL
ApiLogger::setLevel is called.</li>
<li>Support Spring 2.6.x.</li>
<li>Move perf tests to log4j-core-its</li>
<li>Upgrade the Flume Appender to Flume 1.10.0</li>
</ul>
</li>
<li>Fixed<ul>
<li>Fix minor typo #792.</li>
<li>Improve validation and reporting of configuration errors.</li>
<li>Allow enterprise id to be an OID fragment.</li>
<li>Fix problem with non-uppercase custom levels.</li>
<li>Avoid ClassCastException in JeroMqManager with custom
LoggerContextFactory #791.</li>
<li>DirectWriteRolloverStrategy should use the current time when
creating files.</li>
<li>Fixes the syslog appender in Log4j 1.x bridge, when used with
a custom layout.</li>
<li>log4j-1.2-api 2.17.2 throws NullPointerException while
removing appender with name as null.</li>
<li>Improve JsonTemplateLayout performance.</li>
<li>Fix resolution of non-Log4j properties.</li>
<li>Fixes Spring Boot logging system registration in a
multi-application environment.</li>
<li>JAR file containing Log4j configuration isn’t closed.</li>
<li>Properties defined in configuration using a value attribute
(as opposed to element) are read correctly.</li>
<li>Syslog appender lacks the SocketOptions setting.</li>
<li>Log4j 1.2 bridge should not wrap components unnecessarily.</li>
<li>Update 3rd party dependencies for 2.18.0.</li>
<li>SizeBasedTriggeringPolicy would fail to rename files properly
when integer pattern contained a leading zero.</li>
<li>Fixes default SslConfiguration, when a custom keystore is
used.</li>
<li>Fixes appender concurrency problems in Log4j 1.x bridge.</li>
<li>Fix and test for race condition in FileUtils.mkdir().</li>
<li>LocalizedMessage logs misleading errors on the console.</li>
<li>Add missing message parameterization in RegexFilter.</li>
<li>Add the missing context stack to JsonLayout template.</li>
<li>HttpWatcher did not pass credentials when polling.</li>
<li>UrlConnectionFactory.createConnection now accepts an
AuthorizationProvider as a parameter.</li>
<li>The DirectWriteRolloverStrategy was not detecting the correct
index to use during startup.</li>
<li>Async Loggers were including the location information by
default.</li>
<li>ClassArbiter’s newBuilder method referenced the wrong class.</li>
<li>Don’t use Paths.get() to avoid circular file systems.</li>
<li>Fix parsing error, when XInclude is disabled.</li>
<li>Fix LevelRangeFilterBuilder to align with log4j1’s behavior.</li>
<li>Fixes problem with wrong ANSI escape code for bright colors</li>
<li>Log4j 1.2 bridge should generate Log4j 2.x messages based on
the parameter runtime type.</li>
</ul>
</li>
<li>Update to 2.19.0</li>
<li>Added<ul>
<li>Add implementation of SLF4J2 fluent API.</li>
<li>Add support for SLF4J2 stack-valued MDC.</li>
</ul>
</li>
<li>Changed<ul>
<li>Add getExplicitLevel method to LoggerConfig.</li>
<li>Allow PropertySources to be added.</li>
<li>Allow Plugins to be injected with the LoggerContext reference.</li>
</ul>
</li>
<li>Fixed<ul>
<li>Add correct manifest entries for OSGi to log4j-jcl</li>
<li>Improve support for passwordless keystores.</li>
<li>SystemPropertyArbiter was assigning the value as the name.</li>
<li>Make JsonTemplateLayout stack trace truncation operate for
each label block.</li>
<li>Fix recursion between Log4j 1.2 LogManager and Category.</li>
<li>Fix resolution of properties not starting with log4j2..</li>
<li>Logger$PrivateConfig.filter(Level, Marker, String) was
allocating empty varargs array.</li>
<li>Allows a space separated list of style specifiers in the
%style pattern for consistency with %highlight.</li>
<li>Fix NPE in log4j-to-jul in the case the root logger level is
null.</li>
<li>Fix RollingRandomAccessFileAppender with
DirectWriteRolloverStrategy can’t create the first log file of
different directory.</li>
<li>Generate new SSL certs for testing.</li>
<li>Fix ServiceLoaderUtil behavior in the presence of a
SecurityManager.</li>
<li>Fix regression in Rfc5424Layout default values.</li>
<li>Harden InstantFormatter against delegate failures.</li>
<li>Add async support to Log4jServletFilter.</li>
</ul>
</li>
<li>Removed<ul>
<li>Removed build page in favor of a single build instructions
file.</li>
<li>Remove SLF4J 1.8.x binding.</li>
</ul>
</li>
<li>Update to 2.20.0</li>
<li>Added<ul>
<li>Add support for timezones in RollingFileAppender date pattern</li>
<li>Add LogEvent timestamp to ProducerRecord in KafkaAppender</li>
<li>Add PatternLayout support for abbreviating the name of all
logger components except the 2 rightmost</li>
<li>Removes internal field that leaked into public API.</li>
<li>Add a LogBuilder#logAndGet() method to emulate the
Logger#traceEntry method.</li>
</ul>
</li>
<li>Changed<ul>
<li>Simplify site generation</li>
<li>Switch the issue tracker from JIRA to GitHub Issues</li>
<li>Remove liquibase-log4j2 maven module</li>
<li>Fix order of stacktrace elements, that causes cache misses in
ThrowableProxyHelper.</li>
<li>Switch from com.sun.mail to Eclipse Angus.</li>
<li>Add Log4j2 Core as default runtime dependency of the
SLF4J2-to-Log4j2 API bridge.</li>
<li>Replace maven-changes-plugin with a custom changelog
implementation</li>
<li>Moved log4j-api and log4j-core artifacts with classifier tests
to log4j-api-test and log4j-core-test respectively.</li>
</ul>
</li>
<li>Deprecated<ul>
<li>Deprecate support for package scanning for plugins</li>
</ul>
</li>
<li>Fixed<ul>
<li>Copy programmatically supplied location even if
includeLocation="false".</li>
<li>Eliminate status logger warning, when disableAnsi or
noConsoleNoAnsi is used the style and highlight patterns.</li>
<li>Fix detection of location requirements in RewriteAppender.</li>
<li>Replace regex with manual code to escape characters in
Rfc5424Layout.</li>
<li>Fix java.sql.Time object formatting in MapMessage</li>
<li>Fix previous fire time computation in CronTriggeringPolicy</li>
<li>Correct default to not include location for AsyncRootLoggers</li>
<li>Make StatusConsoleListener use SimpleLogger internally.</li>
<li>Lazily evaluate the level of a SLF4J LogEventBuilder</li>
<li>Fixes priority of Legacy system properties, which are now back
to having higher priority than Environment variables.</li>
<li>Protects ServiceLoaderUtil from unchecked ServiceLoader
exceptions.</li>
<li>Fix Configurator#setLevel for internal classes</li>
<li>Fix level propagation in Log4jBridgeHandler</li>
<li>Disable OsgiServiceLocator if not running in OSGI container.</li>
<li>When using a Date Lookup in the file pattern the current time
should be used.</li>
<li>Fixed LogBuilder filtering in the presence of global filters.</li>
</ul>
</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
openSUSE Leap 15.6
<br/>
<code>zypper in -t patch openSUSE-SLE-15.6-2026-254=1</code>
</li>
<li class="list-group-item">
Basesystem Module 15-SP7
<br/>
<code>zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP7-2026-254=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
openSUSE Leap 15.6 (noarch)
<ul>
<li>log4j-slf4j-2.20.0-150200.4.30.1</li>
<li>log4j-jcl-2.20.0-150200.4.30.1</li>
<li>log4j-2.20.0-150200.4.30.1</li>
<li>log4j-javadoc-2.20.0-150200.4.30.1</li>
</ul>
</li>
<li>
Basesystem Module 15-SP7 (noarch)
<ul>
<li>log4j-slf4j-2.20.0-150200.4.30.1</li>
<li>log4j-jcl-2.20.0-150200.4.30.1</li>
<li>log4j-2.20.0-150200.4.30.1</li>
<li>log4j-javadoc-2.20.0-150200.4.30.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2025-68161.html">https://www.suse.com/security/cve/CVE-2025-68161.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1255427">https://bugzilla.suse.com/show_bug.cgi?id=1255427</a>
</li>
</ul>
</div>