Vulnerability in Apache Log4j

Please provide instructions on how to update Apache Log4j particularly log4j-core-2.17.1.jar
This file shows medium vulnerability (CVE-2026-34480) and high vulnerability (CVE-2026-34477) on my Nessus scans. Thank you

4 个评论

dpb
dpb 2026-5-21
编辑:dpb 2026-5-21
ADDENDUM
An AI-generated response states:
These CVEs affect Apache Log4j components, but MATLAB does not configure or invoke the vulnerable logging features:
  • CVE-2026-34480: An XXE vulnerability in Log4j's XmlLayout. MATLAB does not use this configuration.
  • CVE-2026-34477: A TLS hostname verification bypass. MATLAB does not configure its internal Log4j instances to use the vulnerable network or TLS appenders.
Note for Security Scanners:
Because Log4j packages are bundled within MATLAB and its third-party support packages, automated vulnerability scanners often flag them by simply reading the version number.
It (the AI bot) claims there is an official Mathworks response that confirms the above, but like @Walter Roberson, I've yet to find any response posted by a Mathworks staffer or the Mathworks Support Group. However, given the description of the particular vulnerabilities, the above assessments appear reasonable evaluations.
Ryan
Ryan about 4 hours 前
移动:dpb about 2 hours 前
Given that matlab does not use any of the logging features flagged for the vulnerability, can I simply drop log4j-core2.26 into place instead of 2.17.1? Telling the security team that it does not use the vulnerable features does not satisfy their requirement. Upgrading the version does. Thank you in advance.
dpb
dpb about 10 hours 前
编辑:dpb about 6 hours 前
@Ryan, if your security team strictly requires the vulnerability scanner to return a clean pass on the installed version, dropping a new .jar file directly into the directory is a hard dead end. There are hacks one can find but no official path unless the latest release for your platform from MathWorks download has updated it.
AFAIK, there still are no official responses from MathWorks addressing these kinds of user IT requirements. Best advice can give would be to "have your people contact those people" at <Product Support Page>
I believe that the only solution that will be acceptable to your security team is if you uninstall all versions of MATLAB that use vulnerable log4j

请先登录,再进行评论。

回答(0 个)

类别

帮助中心File Exchange 中查找有关 Introduction to Installation and Licensing 的更多信息

产品

版本

R2022a

提问:

2026-5-21

编辑:

dpb
about 10 hours 前

Community Treasure Hunt

Find the treasures in MATLAB Central and discover how the community can help you!

Start Hunting!

Translated by