Security Vulnerabilities in Apache Log4J 2.x

Problem Description

Does the COMSOL software contain the Apache Log4j 2.x library and, if so, is it affected by known security vulnerabilities in it?

Solution

Summary

The following COMSOL software include the Apache Log4j 2.x library:

• COMSOL Multiphysics
• COMSOL Server
• COMSOL Model Manager Server (with managed search index servers)

COMSOL strives to keep third-party software up-to-date in update releases. It is not possible to update the bundled Apache Log4j 2.x software manually. See below for more information about known Apache Log4j 2.x security vulnerabilities.

Security vulnerabilities

The Apache Logging Services security team lists known vulnerabilities on the Apache Logging Services Security page.

Not all security vulnerabilities of the Apache Log4j 2.x library apply to the COMSOL software, since the COMSOL software does not use all the Apache Log4j 2.x functionality and may not enable the affected features. In fact, COMSOL software typically only uses a relatively limited subset of the Apache Log4j 2.x functionality.

• CVE-2026-34477
  Assessment: Not vulnerable
  The COMSOL software does not enable the Socket Appender so the insufficient TLS hostname verification in Apache Log4j 2.25.3 and below is not relevant.

• CVE-2026-34478
  Assessment: Not vulnerable
  The COMSOL software does not enable the RFC 5424 Layout functionality so the reported log injection paths in Apache Log4j 2.25.3 and below are not relevant.

• CVE-2026-34479 and CVE-2026-34480
  Assessment: Not vulnerable
  The COMSOL software does not enable the XML Layout functionality so the reported lack of sanitization in Apache Log4j 2.25.3 and below is not relevant.

• CVE-2026-34481
  Assessment: Not vulnerable
  The COMSOL software does not enable the JSON Template Layout functionality so the reported issue with non-finite floating-point values in Apache Log4j 2.25.3 and below is not relevant.

Apache Log4j 2.x version

The following versions of the Apache Log4j 2.x library are included with the currently supported versions of COMSOL:

• COMSOL 6.4 Update 2:
  Apache Log4j 2.25.3
• COMSOL 6.3 Update 3:
  Apache Log4j 2.25.3

In general, the version of the Apache Log4j software included with a particular COMSOL software installation can be determined by inspecting the filenames of all .jar found by searching for log4j in the COMSOL installation directory. The following are the default installation directories:

• On Windows systems: C:\Program Files\COMSOL\COMSOL64\[Product]\
• On macOS systems: /Applications/COMSOL64/[Product]/
• On Linux systems: /usr/local/comsol64/[product]/
• The [Product] path segment is Multiphysics for COMSOL Multiphysics, Server for COMSOL Server, and ModelManagerServer for COMSOL Model Manager Server.

種類ごとに閲覧

エラーメッセージ (65)
インポート (10)
ジオメトリ (14)
フィジックス (11)
ソルバー (38)
インストレーション (43)
メッシュ (14)
一般 (38)
構造力学 (2)
流体力学 (2)
ポスト処理 (4)
エクスポート (1)
描 (1)
製品情報 (6)
マルチフィジックス (1)
ユーザーのモデル (1)
電磁気 (1)