Log4j 2.12.4 vulnerabilities

[s-nel]

Describe the bug

elastic-apm-agent 1.55.6 is depending on a very old version of Log4j 2.12.4 which is being flagged by our vulnerability scanners

apm-agent-java/pom.xml

Lines 93 to 96 in 192ed4e

	<!-- this is the last version of log4j that is compatible with Java 7. Due to a known vulnerability
	(https://nvd.nist.gov/vuln/detail/CVE-2020-9488#vulnCurrentDescriptionTitle), the SMTP appender is
	excluded from the build and not packaged into the agent artifacts -->
	<version.log4j>2.12.4</version.log4j>

This is being flagged for several CVEs:

• CVE-2026-34480
• CVE-2025-68161
• CVE-2026-34477
• CVE-2026-34479

The comment on the dependency specifically mentions that

this is the last version of log4j that is compatible with Java 7. Due to a known vulnerability
(https://nvd.nist.gov/vuln/detail/CVE-2020-9488#vulnCurrentDescriptionTitle), the SMTP appender is
excluded from the build and not packaged into the agent artifacts

it looks like we're also excluding SocketAppender which has vulnerabilities against it, but we're not excluding XmlLayout which has two vulnerability reports (med CVE-2026-34479, high CVE-2026-34480)

apm-agent-java/apm-agent-attach-cli/pom.xml

Lines 184 to 185 in 192ed4e

	<exclude>org/apache/logging/log4j/core/appender/SmtpAppender.class</exclude>
	<exclude>org/apache/logging/log4j/core/appender/SocketAppender.class</exclude>

If core Java libraries like log4j have dropped support for Java 7, should Elastic's APM agent discontinue support? Java 7 reached EOL in 2022

Steps to reproduce

Expected behavior

Debug logs

Click to expand

replace this line with your debug logs

[SylvainJuge]

Another alternative here would be to use the -java8 artifact which is using a more recent log4j version, this particular log4j version is only kept for java7 compatibility.

[SylvainJuge]

closing issue as the workaround (removing impacted classes) has been merged.