Security Vulnerabilities in Apache Log4J 2.x

Versions: 6.4, 6.3

Problem Description

Does the COMSOL software contain the Apache Log4j 2.x library and, if so, is it affected by known security vulnerabilities in it?

Solution

Summary

The following COMSOL software include the Apache Log4j 2.x library:

COMSOL Multiphysics
COMSOL Server
COMSOL Model Manager Server (with managed search index servers)

COMSOL strives to keep third-party software up-to-date in update releases. It is not possible to update the bundled Apache Log4j 2.x software manually. See below for more information about known Apache Log4j 2.x security vulnerabilities.

Security vulnerabilities

The Apache Logging Services security team lists known vulnerabilities on the Apache Logging Services Security page.

Not all security vulnerabilities of the Apache Log4j 2.x library apply to the COMSOL software, since the COMSOL software does not use all the Apache Log4j 2.x functionality and may not enable the affected features. In fact, COMSOL software typically only uses a relatively limited subset of the Apache Log4j 2.x functionality.

CVE-2026-34477
Assessment: Not vulnerable
The COMSOL software does not enable the Socket Appender so the insufficient TLS hostname verification in Apache Log4j 2.25.3 and below is not relevant.
CVE-2026-34478
Assessment: Not vulnerable
The COMSOL software does not enable the RFC 5424 Layout functionality so the reported log injection paths in Apache Log4j 2.25.3 and below are not relevant.
CVE-2026-34479 and CVE-2026-34480
Assessment: Not vulnerable
The COMSOL software does not enable the XML Layout functionality so the reported lack of sanitization in Apache Log4j 2.25.3 and below is not relevant.
CVE-2026-34481
Assessment: Not vulnerable
The COMSOL software does not enable the JSON Template Layout functionality so the reported issue with non-finite floating-point values in Apache Log4j 2.25.3 and below is not relevant.

Apache Log4j 2.x version

The following versions of the Apache Log4j 2.x library are included with the currently supported versions of COMSOL:

COMSOL 6.4 Update 2:
Apache Log4j 2.25.3
COMSOL 6.3 Update 3:
Apache Log4j 2.25.3

In general, the version of the Apache Log4j software included with a particular COMSOL software installation can be determined by inspecting the filenames of all .jar found by searching for log4j in the COMSOL installation directory. The following are the default installation directories:

On Windows systems: C:\Program Files\COMSOL\COMSOL64\[Product]\
On macOS systems: /Applications/COMSOL64/[Product]/
On Linux systems: /usr/local/comsol64/[product]/
The [Product] path segment is Multiphysics for COMSOL Multiphysics, Server for COMSOL Server, and ModelManagerServer for COMSOL Model Manager Server.

COMSOL makes every reasonable effort to verify the information you view on this page. Resources and documents are provided for your information only, and COMSOL makes no explicit or implied claims to their validity. COMSOL does not assume any legal liability for the accuracy of the data disclosed. Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark details.