Security Bulletin: Multiple Vulnerabilities in Apache Log4j Core shipped in Tivoli Netcool/OMNIbus

Summary The Netcool/Omnibus 'Administrator GUI' and 'Accelerated Event Notification GUI' desktop components use a version of Apache Log4j that contains known vulnerabilities. These vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2025-68161 DESCRIPTION: The Socket Appender in...

Security Bulletin: There is a vulnerability in log4j-core-2.25.3.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2026-34477, CVE-2026-34478, CVE-2026-34480)

Summary There is a vulnerability in log4j-core-2.25.3.jar used by IBM Maximo Manage application in IBM Maximo Application Suite. Vulnerability Details CVEID:CVE-2026-34477 DESCRIPTION: The fix for CVE-2025-68161 https://logging.apache.org/security.htmlCVE-2025-68161 was incomplete: it addressed...

Security Bulletin: There is a vulnerability in log4j-core-2.25.3.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2026-34480 ,CVE-2026-34477, CVE-2026-34478, CVE-2026-34479)

Summary There is a vulnerability in log4j-core-2.25.3.jar used by IBM Maximo Manage application in IBM Maximo Application Suite. Vulnerability Details CVEID:CVE-2026-34477 DESCRIPTION: The fix for CVE-2025-68161 https://logging.apache.org/security.htmlCVE-2025-68161 was incomplete: it addressed...

Security Bulletin: IBM SPSS Modeler is affected by multiple vulnerabilities in Apache Log4j

Summary IBM SPSS Modeler is affected by multiple vulnerabilities in Apache Log4j. This has been addressed in the remediation section. Vulnerability Details CVEID:CVE-2025-68161 DESCRIPTION: The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname...

Security Bulletin: IBM® Db2® is affected by a vulnerability in log4j-core-2.17.2 (CVE-2025-68161)

Summary IBM® Db2® is affected by a vulnerability in log4j-core-2.17.2 CVE-2025-68161 Vulnerability Details CVEID:CVE-2025-68161 DESCRIPTION: The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the...

Security Bulletin: Vulnerability in Iog4j (CVE-2025-68161) affects IBM PowerVM Novalink.

Summary log4j is used by IBM PowerVM Novalink. IBM PowerVM Novalink has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2025-68161 DESCRIPTION: The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer...

Security Bulletin: IBM SPSS Analytic Server is affected by a TLS hostname verification vulnerability in Apache Log4j Core (CVE-2025-68161)

Summary IBM SPSS Analytic Server is affected by a TLS hostname verification vulnerability in Apache Log4j Core CVE-2025-68161. This has been addressed in the remediation section. Vulnerability Details CVEID:CVE-2025-68161 DESCRIPTION: The Socket Appender in Apache Log4j Core versions 2.0-beta9...

Security Bulletin: due to the use of Apache Log4j, IBM Transformation Extender Advanced is vulnerable to Host Mismatch

Summary Apache Log4j is used by IBM Transformation Extender Advanced also known as IBM Standards Processing Engine as part of common utility helpers. Apache Log4j has been updated to address CVE-2025-68161 which causes hostname mismatch. Vulnerability Details CVEID:CVE-2025-68161 DESCRIPTION: The...

Apache Log4j 2.12.0 < 2.25.4 SSL Hostname Verification Bypass (CVE-2026-34477)

The version of Apache Log4j on the remote host is 2.12.0 through 2.25.3. It is, therefore, affected by a vulnerability: - The verifyHostName configuration attribute of the Ssl element was silently ignored in all versions through 2.25.3, leaving TLS connections vulnerable to interception via...

GHSA-W35J-PV5H-Q9Q9 Apache Log4j JSON Template Layout: Improper serialization of non-finite floating-point values in JsonTemplateLayout

Apache Log4j's JsonTemplateLayout, in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values NaN, Infinity, or -Infinity, which are prohibited by RFC 8259. This may cause downstream log processing systems to reject or fail to ind...

africa.shuwari.sbt:sbt-js_2.12_1.0 (>=0.14.1 <=0.16.1), africa.shuwari.sbt:sbt-netbeans_2.12_1.0 (>=0.1.0 <=0.1.1) +19147 more potentially affected by CVE-2026-34477 via org.apache.logging.log4j:log4j-core (>=2.12.0 <=2.25.3)

org.apache.logging.log4j:log4j-core MAVEN version =2.12.0, =0.14.1, =0.1.0, =0.9.6, =0.12.0, =0.9.6, =0.9.6, =0.9.6, =0.9.6, =0.14.1, =0.9.6, =0.14.1, =4.4.0.1, =1.4.6, =1.4.6, =1.4.8 and more Source cves: CVE-2026-34477 Source advisory: OSV:GHSA-6HG6-V5C8-FPHQ...

CVE-2026-34480 Apache Log4j Core: Silent log event loss in XmlLayout due to unescaped XML 1.0 forbidden characters

Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.htmlXmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/charsets producing invalid XML output whenever a log message or M...

CVE-2026-34480 Apache Log4j Core: Silent log event loss in XmlLayout due to unescaped XML 1.0 forbidden characters

Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.htmlXmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/charsets producing invalid XML output whenever a log message or M...

CVE-2026-34478

CVE-2026-34478 (Log4j Core) affects Apache Log4j Core 2.21.0 through 2.25.3 and involves CRLF log-injection risks in stream-based syslog output due to undocumented renames of configuration attributes in Rfc5424Layout. Specifically, the newLineEscape attribute was silently renamed, breaking newlin...

K000160700: Log4J vulnerability CVE-2025-68161

Security Advisory Description The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https:// logging.apache . org/log4j/2.x/manual/appenders/network...

Security Bulletin: There is a vulnerability in log4j-core-2.17.1.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2025-68161)

Summary There is a vulnerability in log4j-core-2.17.1.jar used by IBM Maximo Manage application in IBM Maximo Application Suite. Vulnerability Details CVEID:CVE-2025-68161 DESCRIPTION: The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname...

Security Bulletin: IBM InfoSphere Information Server is affected by a vulnerability in Apache Log4j (CVE-2025-68161)

Summary A vulnerability in Apache Log4j that is used by InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2025-68161 DESCRIPTION: The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificat...

Security Bulletin: IBM App Connect for Manufacturing is vulnerable to Improper Validation of Certificate with Host Mismatch due to Apache Log4j Core (CVE-2025-68161)

Summary IBM App Connect for Manufacturing is vulnerable to Improper Validation of Certificate with Host Mismatch due to Apache Log4j Core Vulnerability Details CVEID:CVE-2025-68161 DESCRIPTION: The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostnam...

Security Bulletin: IBM Maximo Asset Configuration Manager uses log4j-core-2.17.1 which is vulnerable to CVE-2025-68161

Summary IBM Maximo Asset Configuration Manager uses log4j-core-2.17.1 which is vulnerable to CVE-2025-68161. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2025-68161 DESCRIPTION: The Socket Appender in Apache Log4j Core versions...

Security Bulletin: IBM Sterling Control Center is affected by vulnerabilities in log4j-core (CVE-2025-68161)

Summary IBM Sterling Control Center is affected by a vulnerability CVE-2025-68161 of log4j-core-2.17.1.jar. Vulnerability Details CVEID:CVE-2025-68161 DESCRIPTION: The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer...