We upgraded our OpenSearch cluster to version 3.6.0; however, our vulnerability scanning tool (Nessus) continues to report a Log4j vulnerability related to CVE-2026-34478.
Vulnerability Details
Vulnerability: CVE-2026-34478
Component: Apache Log4j Core
Installed Version Detected: 2.25.3
Fixed Version Required: 2.25.4 or later
File Path:
/usr/share/opensearch/lib/log4j-core-2.25.3.jar
Relevant Logs or Screenshots :
pablo
June 2, 2026, 7:49pm
2
@mohit24 As per the following pull request, log4j2 has been updated to version 2.25.4 where the reported CVE has been fixed. This will also be backported to version 3.6
main ← rursprung:update-log4j2
opened 02:28PM - 28 Apr 26 UTC
### Description
there are several CVEs reported on the current log4j2 version w… hich get resolved by this, namely CVE-2026-34478 and CVE-2026-34480.
### Related Issues
resolves #21215
### Check List
- [ ] Functionality includes testing.
- [ ] API changes companion pull request [created](https://github.com/opensearch-project/opensearch-api-specification/blob/main/DEVELOPER_GUIDE.md), if applicable.
- [ ] Public documentation issue/PR [created](https://github.com/opensearch-project/documentation-website/issues/new/choose), if applicable.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).
