Log4J Vulnerability

Update: May 18, 2026 - Log4J 2.25.4 was included in the latest maintenance release 10.1.972.17.

For more information see the following article: Known Issues: 10.1.972 Issues – Adaptiva Support Portal

Update: April 10, 2026 - CVE 2026-34479 was released and impacts Log4J releases 2.25.3

The CVE is resolved in 2.25.4 and later.

Adaptiva will be including the latest Log4J release in the maintenance release build scheduled for a May release.

While we recognize the existence of the CVE and potential vulnerability, Adaptiva is not using the functionality in Log4J that resulted in this vulnerability. We are using the XML 2.0 standard and are not bridging between 1.0 and 2.0.

Update: January 19, 2026 - CVE 2025-68161 was released and impacts Log4J releases 2.25.2 and earlier.

The CVE is resolved in 2.25.3 and later.

Adaptiva will be including the latest Log4J release in the quarter 1 build scheduled for a March 2026 release.

While we recognize the existence of the CVE and potential vulnerability, Adaptiva is not using the functionality in Log4J that resulted in the vulnerability. The issue addressed is a man-in-the-middle attack where the attacker intercepts log traffic on the network. All log4j activity in the Adaptiva products is isolated to the device and does not write logs across the network.

If you cannot wait for the next Adaptiva release to remediate this issue, please follow the steps below:

Manual steps

1. Download the files from here: https://adaptiva-releases.adaptivacdn.cloud/Log4j-2.25.4-Update.zip.
2. Stop the Adaptiva Client service.

3. Delete the files listed below from %adaptivaclient%\lib\misc:

   Log4j-api-#.##.#.jar

   Log4j-core-#.##.#.jar

   Log4j-jcl-#.##.#.jar

   Log4j-layout-template-json-#.##.#.jar

   Log4j-slf4j2-impl-#.##.#.jar

    

4. Extract the contents of the downloaded zip file to %adaptivaclient%\lib\misc.
5. Start the Adaptiva Client service.

NOTE: The same process can be used for the Adaptiva Server, replacing the files in %adaptivaserver%\lib\misc after stopping the Adaptiva Server service. 

Adaptiva Workbench

This update is not supported for the Adaptiva Workbench. The Log4J files will be updated on the latest maintenance release starting with 10.1.972.17. See the link above for additional information.

Automated using a ConfigMgr task sequence

1. Download the files from here: https://adaptiva-releases.adaptivacdn.cloud/Log4j-2.25.4-Update.zip.
2. Extract the contents of the downloaded zip file to your content source location in a folder named: Log4J-Updated.
3. Create a ConfigMgr package with those contents. No program is required.
4. Create a task sequence with the following steps: 
   1. Set Task Sequence Variable
      • Name: Set SMSTSDownloadProgram.
      • Task Sequence VariableL SMSTSDownloadProgram.
      • Value: "%adaptivaclient%\bin\%processor_architecture%\OneSiteDownloader.exe"
   2. Run Command Line
      1. Name: Update log4J
      2. Click on the Options tab and select Continue on error.
      3. Check the box for Package and select the Log4J package that was created.

      4. Enter the following Command line:

         cmd /c net stop AdaptivaClient && del "%AdaptivaClient%\lib\misc\log4j*.jar" && xcopy *.* "%AdaptivaClient%\lib\misc" /S /C /I /R /Y

         NOTE: This step will fail if the Adaptiva does not exist or is already stopped and the files will not be copied. To ensure the files are always copied the net stop AdaptivaClient command can be moved to its own step.

   3. Run Command Line.
      1. Name: Start Adaptiva Client.
      2. Click on the Options tab and select Continue on error.

      3. Enter the following Command line:

         cmd /c net start AdaptivaClient

5. Deploy the task sequence to a collection of test devices.
6. On the User Experience page, uncheck Show Task Sequence progress.
7. Review the deployment results and deploy to the remaining devices.