Vulnerability in Apache Log4j
Show older comments
Please provide instructions on how to update Apache Log4j particularly log4j-core-2.17.1.jar
This file shows medium vulnerability (CVE-2026-34480) and high vulnerability (CVE-2026-34477) on my Nessus scans. Thank you
4 Comments
ADDENDUM
An AI-generated response states:
These CVEs affect Apache Log4j components, but MATLAB does not configure or invoke the vulnerable logging features:
- CVE-2026-34480: An XXE vulnerability in Log4j's XmlLayout. MATLAB does not use this configuration.
- CVE-2026-34477: A TLS hostname verification bypass. MATLAB does not configure its internal Log4j instances to use the vulnerable network or TLS appenders.
Note for Security Scanners:
Because Log4j packages are bundled within MATLAB and its third-party support packages, automated vulnerability scanners often flag them by simply reading the version number.
It (the AI bot) claims there is an official Mathworks response that confirms the above, but like @Walter Roberson, I've yet to find any response posted by a Mathworks staffer or the Mathworks Support Group. However, given the description of the particular vulnerabilities, the above assessments appear reasonable evaluations.
Given that matlab does not use any of the logging features flagged for the vulnerability, can I simply drop log4j-core2.26 into place instead of 2.17.1? Telling the security team that it does not use the vulnerable features does not satisfy their requirement. Upgrading the version does. Thank you in advance.
@Ryan, if your security team strictly requires the vulnerability scanner to return a clean pass on the installed version, dropping a new .jar file directly into the directory is a hard dead end. There are hacks one can find but no official path unless the latest release for your platform from MathWorks download has updated it.
AFAIK, there still are no official responses from MathWorks addressing these kinds of user IT requirements. Best advice can give would be to "have your people contact those people" at <Product Support Page>
Walter Roberson
3 minutes ago
I believe that the only solution that will be acceptable to your security team is if you uninstall all versions of MATLAB that use vulnerable log4j
Answers (0)
Categories
Find more on Introduction to Installation and Licensing in Help Center and File Exchange
Community Treasure Hunt
Find the treasures in MATLAB Central and discover how the community can help you!
Start Hunting!