CVE-2025-68161 log4j-core of BuildAgents for TeamCity 2025.11.2 Build 208045 (and previous)

Avatar
Daniel Böhme
Created

Hello,

our systems are regularly scanned for Issues. A current finding is CVE-2025-68161 for log4j being used by the BuildAgent instances. So far I know the update process of TeamCity, the connected BuildAgents automatically do update themselves as soon as the TeamCity Server got updated. Therefore I do see the current (identical) build number in the root directory of the BuildAgents.

If I have a look on the pom inside log4j-core.jar version “2.17.2” is used, which is (according to the CVE-Entry) vulnerable.

According to Appache version “2.25.3” fixes this vulnerability.

Are there plans to upgrade the used log4j version and what timeline can we expect for it?

 

Thank you & Best regards

Votes

0

Share

4 comments
Avatar
Anton Vakhtel
Created
Hi Daniel,

We're aware of this vulnerability, and Log4j will be updated to the unaffected version in the next TeamCity release (2026.1).
Please let me know if you have further questions.

Best regards,
Anton
1
Avatar
Daniel Böhme
Created

Hi Anton,

 

thank you for the information. That's everything I need to know :)

 

Best regards

Daniel

0
Avatar
Brian Mcdonald
Created

Anton, Is there an update on the 2026.1 release date?

Thanks,

Brian 

1
Avatar
Anton Vakhtel
Created
Hi Brian,

It's planned for late April, but a fixed date hasn't been set yet.

Best regards,
Anton
1

Please sign in to leave a comment.