Detections
Analytics

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : log4j (SUSE-SU-2026:0254-1)

medium Nessus Plugin ID 296436

Synopsis

The remote SUSE host is missing a security update.

Description

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2026:0254-1 advisory.

 Security fixes:

 - CVE-2025-68161: Fixed absent TLS hostname verification that may allow a man-in-the-middle attack (bsc#1255427)

 Other fixes:

 - Upgrade to 2.18.0
 * Added
 - Add support for Jakarta Mail API in the SMTP appender.
 - Add support for custom Log4j 1.x levels.
 - Add support for adding and retrieving appenders in Log4j 1.x bridge.
 - Add support for custom LMAX disruptor WaitStrategy configuration.
 - Add support for Apache Extras' RollingFileAppender in Log4j 1.x bridge.
 - Add MutableThreadContextMapFilter.
 - Add support for 24 colors in highlighting
 * Changed
 - Improves ServiceLoader support on servlet containers.
 - Make the default disruptor WaitStrategy used by Async Loggers garbage-free.
 - Do not throw UnsupportedOperationException when JUL ApiLogger::setLevel is called.
 - Support Spring 2.6.x.
 - Move perf tests to log4j-core-its
 - Upgrade the Flume Appender to Flume 1.10.0
 * Fixed
 - Fix minor typo #792.
 - Improve validation and reporting of configuration errors.
 - Allow enterprise id to be an OID fragment.
 - Fix problem with non-uppercase custom levels.
 - Avoid ClassCastException in JeroMqManager with custom LoggerContextFactory #791.
 - DirectWriteRolloverStrategy should use the current time when creating files.
 - Fixes the syslog appender in Log4j 1.x bridge, when used with a custom layout.
 - log4j-1.2-api 2.17.2 throws NullPointerException while removing appender with name as null.
 - Improve JsonTemplateLayout performance.
 - Fix resolution of non-Log4j properties.
 - Fixes Spring Boot logging system registration in a multi-application environment.
 + JAR file containing Log4j configuration isnt closed.
 + Properties defined in configuration using a value attribute (as opposed to element) are read correctly.
 + Syslog appender lacks the SocketOptions setting.
 + Log4j 1.2 bridge should not wrap components unnecessarily.
 + Update 3rd party dependencies for 2.18.0.
 + SizeBasedTriggeringPolicy would fail to rename files properly when integer pattern contained a leading zero.
 + Fixes default SslConfiguration, when a custom keystore is used.
 + Fixes appender concurrency problems in Log4j 1.x bridge.
 + Fix and test for race condition in FileUtils.mkdir().
 + LocalizedMessage logs misleading errors on the console.
 + Add missing message parameterization in RegexFilter.
 + Add the missing context stack to JsonLayout template.
 + HttpWatcher did not pass credentials when polling.
 + UrlConnectionFactory.createConnection now accepts an AuthorizationProvider as a parameter.
 + The DirectWriteRolloverStrategy was not detecting the correct index to use during startup.
 + Async Loggers were including the location information by default.
 + ClassArbiters newBuilder method referenced the wrong class.
 + Dont use Paths.get() to avoid circular file systems.
 + Fix parsing error, when XInclude is disabled.
 + Fix LevelRangeFilterBuilder to align with log4j1s behavior.
 + Fixes problem with wrong ANSI escape code for bright colors + Log4j 1.2 bridge should generate Log4j 2.x messages based on the parameter runtime type.
 - Update to 2.19.0
 * Added + Add implementation of SLF4J2 fluent API.
 + Add support for SLF4J2 stack-valued MDC.
 * Changed + Add getExplicitLevel method to LoggerConfig.
 + Allow PropertySources to be added.
 + Allow Plugins to be injected with the LoggerContext reference.
 * Fixed + Add correct manifest entries for OSGi to log4j-jcl + Improve support for passwordless keystores.
 + SystemPropertyArbiter was assigning the value as the name.
 + Make JsonTemplateLayout stack trace truncation operate for each label block.
 + Fix recursion between Log4j 1.2 LogManager and Category.
 + Fix resolution of properties not starting with log4j2..
 + Logger$PrivateConfig.filter(Level, Marker, String) was allocating empty varargs array.
 + Allows a space separated list of style specifiers in the %style pattern for consistency with %highlight.
 + Fix NPE in log4j-to-jul in the case the root logger level is null.
 + Fix RollingRandomAccessFileAppender with DirectWriteRolloverStrategy cant create the first log file of different directory.
 + Generate new SSL certs for testing.
 + Fix ServiceLoaderUtil behavior in the presence of a SecurityManager.
 + Fix regression in Rfc5424Layout default values.
 + Harden InstantFormatter against delegate failures.
 + Add async support to Log4jServletFilter.
 * Removed + Removed build page in favor of a single build instructions file.
 + Remove SLF4J 1.8.x binding.
 - Update to 2.20.0
 * Added + Add support for timezones in RollingFileAppender date pattern + Add LogEvent timestamp to ProducerRecord in KafkaAppender + Add PatternLayout support for abbreviating the name of all logger components except the 2 rightmost + Removes internal field that leaked into public API.
 + Add a LogBuilder#logAndGet() method to emulate the Logger#traceEntry method.
 * Changed + Simplify site generation + Switch the issue tracker from JIRA to GitHub Issues + Remove liquibase-log4j2 maven module + Fix order of stacktrace elements, that causes cache misses in ThrowableProxyHelper.
 + Switch from com.sun.mail to Eclipse Angus.
 + Add Log4j2 Core as default runtime dependency of the SLF4J2-to-Log4j2 API bridge.
 + Replace maven-changes-plugin with a custom changelog implementation + Moved log4j-api and log4j-core artifacts with classifier tests to log4j-api-test and log4j-core-test respectively.
 * Deprecated + Deprecate support for package scanning for plugins
 * Fixed + Copy programmatically supplied location even if includeLocation='false'.
 + Eliminate status logger warning, when disableAnsi or noConsoleNoAnsi is used the style and highlight patterns.
 + Fix detection of location requirements in RewriteAppender.
 + Replace regex with manual code to escape characters in Rfc5424Layout.
 + Fix java.sql.Time object formatting in MapMessage + Fix previous fire time computation in CronTriggeringPolicy + Correct default to not include location for AsyncRootLoggers + Make StatusConsoleListener use SimpleLogger internally.
 + Lazily evaluate the level of a SLF4J LogEventBuilder + Fixes priority of Legacy system properties, which are now back to having higher priority than Environment variables.
 + Protects ServiceLoaderUtil from unchecked ServiceLoader exceptions.
 + Fix Configurator#setLevel for internal classes + Fix level propagation in Log4jBridgeHandler + Disable OsgiServiceLocator if not running in OSGI container.
 + When using a Date Lookup in the file pattern the current time should be used.
 + Fixed LogBuilder filtering in the presence of global filters.

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected log4j, log4j-javadoc, log4j-jcl and / or log4j-slf4j packages.

See Also

https://bugzilla.suse.com/1255427

http://www.nessus.org/u?dadb3a7b

https://www.suse.com/security/cve/CVE-2025-68161

Plugin Details

Severity: Medium

ID: 296436

File Name: suse_SU-2026-0254-1.nasl

Version: 1.1

Type: local

Agent: unix

Published: 1/24/2026

Updated: 1/24/2026

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.0

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3.1

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2025-68161

CVSS v3

Risk Factor: Medium

Base Score: 4.8

Temporal Score: 4.3

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6.3

Threat Score: 2.9

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:log4j-jcl, p-cpe:/a:novell:suse_linux:log4j-slf4j, p-cpe:/a:novell:suse_linux:log4j-javadoc, p-cpe:/a:novell:suse_linux:log4j, cpe:/o:novell:suse_linux:15

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/22/2026

Vulnerability Publication Date: 12/18/2025

Reference Information

CVE: CVE-2025-68161

SuSE: SUSE-SU-2026:0254-1