Vulnerability in Apache Log4j

Please provide instructions on how to update Apache Log4j particularly log4j-core-2.17.1.jar
This file shows medium vulnerability (CVE-2026-34480) and high vulnerability (CVE-2026-34477) on my Nessus scans. Thank you

4 Comments

dpb
dpb on 21 May 2026
Edited: dpb on 21 May 2026
ADDENDUM
An AI-generated response states:
These CVEs affect Apache Log4j components, but MATLAB does not configure or invoke the vulnerable logging features:
  • CVE-2026-34480: An XXE vulnerability in Log4j's XmlLayout. MATLAB does not use this configuration.
  • CVE-2026-34477: A TLS hostname verification bypass. MATLAB does not configure its internal Log4j instances to use the vulnerable network or TLS appenders.
Note for Security Scanners:
Because Log4j packages are bundled within MATLAB and its third-party support packages, automated vulnerability scanners often flag them by simply reading the version number.
It (the AI bot) claims there is an official Mathworks response that confirms the above, but like @Walter Roberson, I've yet to find any response posted by a Mathworks staffer or the Mathworks Support Group. However, given the description of the particular vulnerabilities, the above assessments appear reasonable evaluations.
Ryan
Ryan about 2 hours ago
Moved: dpb 29 minutes ago
Given that matlab does not use any of the logging features flagged for the vulnerability, can I simply drop log4j-core2.26 into place instead of 2.17.1? Telling the security team that it does not use the vulnerable features does not satisfy their requirement. Upgrading the version does. Thank you in advance.
dpb
dpb about 5 hours ago
Edited: dpb 20 minutes ago
@Ryan, if your security team strictly requires the vulnerability scanner to return a clean pass on the installed version, dropping a new .jar file directly into the directory is a hard dead end. There are hacks one can find but no official path unless the latest release for your platform from MathWorks download has updated it.
AFAIK, there still are no official responses from MathWorks addressing these kinds of user IT requirements. Best advice can give would be to "have your people contact those people" at <Product Support Page>
I believe that the only solution that will be acceptable to your security team is if you uninstall all versions of MATLAB that use vulnerable log4j

Sign in to comment.

Answers (0)

Categories

Products

Release

R2022a

Asked:

on 21 May 2026

Edited:

dpb
about 20 hours ago

Community Treasure Hunt

Find the treasures in MATLAB Central and discover how the community can help you!

Start Hunting!