This is an automated email from the ASF dual-hosted git repository.
github-bot pushed a commit to branch main-site-pro-out
in repository https://gitbox.apache.org/repos/asf/logging-site.git
The following commit(s) were added to refs/heads/main-site-pro-out by this push:
new 564f7ebe Add website content generated from
`bafaa2f10f049c91259cb481730e085726593322`
564f7ebe is described below
commit 564f7ebe27675692a969c83e210cac91b664b572
Author: ASF Logging Services RM <[email protected]>
AuthorDate: Fri Apr 10 14:36:42 2026 +0000
Add website content generated from
`bafaa2f10f049c91259cb481730e085726593322`
---
cyclonedx/vdr.xml | 521 +++++++++++++++++++++++++++++++++++++++++++++++--
security.html | 569 +++++++++++++++++++++++++++++++++++++++++++++++++++++-
sitemap.xml | 42 ++--
3 files changed, 1091 insertions(+), 41 deletions(-)
diff --git a/cyclonedx/vdr.xml b/cyclonedx/vdr.xml
index 94fa2a71..9d92b634 100644
--- a/cyclonedx/vdr.xml
+++ b/cyclonedx/vdr.xml
@@ -40,11 +40,11 @@
<bom xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns="http://cyclonedx.org/schema/bom/1.6";
xsi:schemaLocation="http://cyclonedx.org/schema/bom/1.6
https://cyclonedx.org/schema/bom-1.6.xsd";
- version="5"
+ version="6"
serialNumber="urn:uuid:dfa35519-9734-4259-bba1-3e825cf4be06">
<metadata>
- <timestamp>2025-12-18T16:09:38Z</timestamp>
+ <timestamp>2026-04-10T11:53:17Z</timestamp>
<manufacturer>
<name>Apache Logging Services</name>
<url>https://logging.apache.org</url>
@@ -56,17 +56,488 @@
<components>
<component type="library" bom-ref="log4cxx">
<name>Log4cxx</name>
+ <cpe>cpe:2.3:a:apache:log4cxx:*:*:*:*:*:*:*:*</cpe>
</component>
- <component type="library"
bom-ref="pkg:maven/org.apache.logging.log4j/log4j-core?type=jar">
+ <component type="library" bom-ref="log4cxx-conan">
+ <name>Log4cxx</name>
+ <purl>pkg:conan/log4cxx</purl>
+ </component>
+ <component type="library" bom-ref="log4j-core">
<group>org.apache.logging.log4j</group>
<name>log4j-core</name>
<cpe>cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*</cpe>
<purl>pkg:maven/org.apache.logging.log4j/log4j-core?type=jar</purl>
</component>
+ <component type="library" bom-ref="log4j-1.2-api">
+ <group>org.apache.logging.log4j</group>
+ <name>log4j-1.2-api</name>
+ <cpe>cpe:2.3:a:apache:log4j_1_2_api:*:*:*:*:*:*:*:*</cpe>
+ <purl>pkg:maven/org.apache.logging.log4j/log4j-1.2-api?type=jar</purl>
+ </component>
+ <component type="library" bom-ref="log4j-layout-template-json">
+ <group>org.apache.logging.log4j</group>
+ <name>log4j-layout-template-json</name>
+ <cpe>cpe:2.3:a:apache:log4j_layout_template_json:*:*:*:*:*:*:*:*</cpe>
+
<purl>pkg:maven/org.apache.logging.log4j/log4j-layout-template-json?type=jar</purl>
+ </component>
+ <component type="library" bom-ref="log4net">
+ <name>Log4net</name>
+ <cpe>cpe:2.3:a:apache:log4net:*:*:*:*:*:*:*:*</cpe>
+ <purl>pkg:nuget/log4net</purl>
+ </component>
</components>
<vulnerabilities>
+ <vulnerability>
+ <id>CVE-2026-40023</id>
+ <source>
+ <name>NVD</name>
+ <url>https://nvd.nist.gov/vuln/detail/CVE-2026-40023</url>
+ </source>
+ <ratings>
+ <rating>
+ <source>
+ <name>The Apache Software Foundation</name>
+ <url>
+
<![CDATA[https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N]]></url>
+ </source>
+ <score>6.3</score>
+ <severity>medium</severity>
+ <method>CVSSv4</method>
+
<vector>AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N</vector>
+ </rating>
+ </ratings>
+ <cwes>
+ <cwe>116</cwe>
+ </cwes>
+ <description><![CDATA[Apache Log4cxx's
+https://logging.apache.org/log4cxx/1.7.0/classlog4cxx_1_1xml_1_1XMLLayout.html[`XMLLayout`],
+in versions before 1.7.0, fails to sanitize characters forbidden by the
+https://www.w3.org/TR/xml/#charsets[XML 1.0 specification]
+in log messages, NDC, and MDC property keys and values, producing invalid XML
output.
+Conforming XML parsers must reject such documents with a fatal error, which
may cause downstream log processing systems to drop or fail to index affected
records.
+
+An attacker who can influence logged data can exploit this to suppress
individual log records, impairing audit trails and detection of malicious
activity.]]></description>
+ <recommendation><![CDATA[Users are advised to upgrade to Apache
Log4cxx version `1.7.0`, which fixes this issue.]]></recommendation>
+ <created>2026-04-10T11:53:17Z</created>
+ <published>2026-04-10T11:53:17Z</published>
+ <updated>2026-04-10T11:53:17Z</updated>
+ <credits>
+ <individuals>
+ <individual>
+ <name>Olawale Titiloye</name>
+ </individual>
+ </individuals>
+ </credits>
+ <affects>
+ <target>
+ <ref>log4cxx</ref>
+ <versions>
+ <version>
+ <range><![CDATA[vers:semver/>=0|<1.7.0]]></range>
+ </version>
+ </versions>
+ </target>
+ <target>
+ <ref>log4cxx-conan</ref>
+ <versions>
+ <version>
+ <range><![CDATA[vers:semver/>=0|<1.7.0]]></range>
+ </version>
+ </versions>
+ </target>
+ </affects>
+ </vulnerability>
+
+ <vulnerability>
+ <id>CVE-2026-40021</id>
+ <source>
+ <name>NVD</name>
+ <url>https://nvd.nist.gov/vuln/detail/CVE-2026-40021</url>
+ </source>
+ <ratings>
+ <rating>
+ <source>
+ <name>The Apache Software Foundation</name>
+ <url>
+
<![CDATA[https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N]]></url>
+ </source>
+ <score>6.3</score>
+ <severity>medium</severity>
+ <method>CVSSv4</method>
+
<vector>AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N</vector>
+ </rating>
+ </ratings>
+ <cwes>
+ <cwe>116</cwe>
+ </cwes>
+ <description><![CDATA[Apache Log4net's
+https://logging.apache.org/log4net/manual/configuration/layouts.html#layout-list[`XmlLayout`]
+and
+https://logging.apache.org/log4net/manual/configuration/layouts.html#layout-list[`XmlLayoutSchemaLog4J`],
+in versions before 3.3.0, fail to sanitize characters forbidden by the
+https://www.w3.org/TR/xml/#charsets[XML 1.0 specification]
+in MDC property keys and values, as well as the identity field that may carry
attacker-influenced data.
+This causes an exception during serialization and the silent loss of the
affected log event.
+
+An attacker who can influence any of these fields can exploit this to suppress
individual log records, impairing audit trails and detection of malicious
activity.]]></description>
+ <recommendation><![CDATA[Users are advised to upgrade to Apache
Log4net version `3.3.0`, which fixes this issue.]]></recommendation>
+ <created>2026-04-10T11:53:17Z</created>
+ <published>2026-04-10T11:53:17Z</published>
+ <updated>2026-04-10T11:53:17Z</updated>
+ <credits>
+ <individuals>
+ <individual>
+ <name>f00dat</name>
+ </individual>
+ </individuals>
+ </credits>
+ <affects>
+ <target>
+ <ref>log4net</ref>
+ <versions>
+ <version>
+ <range><![CDATA[vers:nuget/>=0|<3.3.0]]></range>
+ </version>
+ </versions>
+ </target>
+ </affects>
+ </vulnerability>
+
+ <vulnerability>
+ <id>CVE-2026-34481</id>
+ <source>
+ <name>NVD</name>
+ <url>https://nvd.nist.gov/vuln/detail/CVE-2026-34481</url>
+ </source>
+ <ratings>
+ <rating>
+ <source>
+ <name>The Apache Software Foundation</name>
+ <url>
+
<![CDATA[https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N]]></url>
+ </source>
+ <score>6.3</score>
+ <severity>medium</severity>
+ <method>CVSSv4</method>
+
<vector>AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N</vector>
+ </rating>
+ </ratings>
+ <cwes>
+ <cwe>116</cwe>
+ </cwes>
+ <description><![CDATA[Apache Log4j's
+https://logging.apache.org/log4j/2.x/manual/json-template-layout.html[`JsonTemplateLayout`],
+in versions up to and including 2.25.3, produces invalid JSON output when log
events contain non-finite floating-point values (`NaN`, `Infinity`, or
`-Infinity`), which are prohibited by RFC 8259.
+This may cause downstream log processing systems to reject or fail to index
affected records.
+
+An attacker can exploit this issue only if both of the following conditions
are met:
+
+* The application uses `JsonTemplateLayout`.
+* The application logs a `MapMessage` containing an attacker-controlled
floating-point value.]]></description>
+ <recommendation><![CDATA[Users are advised to upgrade to Apache Log4j
JSON Template Layout version `2.25.4`, which corrects this
issue.]]></recommendation>
+ <created>2026-04-10T11:53:17Z</created>
+ <published>2026-04-10T11:53:17Z</published>
+ <updated>2026-04-10T11:53:17Z</updated>
+ <credits>
+ <individuals>
+ <individual>
+ <name>Ap4sh (Samy Medjahed)</name>
+ </individual>
+ <individual>
+ <name>Ethicxz (Eliott Laurie)</name>
+ </individual>
+ </individuals>
+ </credits>
+ <affects>
+ <target>
+ <ref>log4j-layout-template-json</ref>
+ <versions>
+ <version>
+ <range><![CDATA[vers:maven/>=2.14.0|<2.25.4]]></range>
+ </version>
+ <version>
+
<range><![CDATA[vers:maven/>=3.0.0-alpha1|<=3.0.0-beta3]]></range>
+ </version>
+ </versions>
+ </target>
+ </affects>
+ </vulnerability>
+
+ <vulnerability>
+ <id>CVE-2026-34480</id>
+ <source>
+ <name>NVD</name>
+ <url>https://nvd.nist.gov/vuln/detail/CVE-2026-34480</url>
+ </source>
+ <ratings>
+ <rating>
+ <source>
+ <name>The Apache Software Foundation</name>
+ <url>
+
<![CDATA[https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N]]></url>
+ </source>
+ <score>6.9</score>
+ <severity>medium</severity>
+ <method>CVSSv4</method>
+
<vector>AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N</vector>
+ </rating>
+ </ratings>
+ <cwes>
+ <cwe>116</cwe>
+ </cwes>
+ <description><![CDATA[Apache Log4j Core's
+https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout[`XmlLayout`],
+in versions up to and including 2.25.3, fails to sanitize characters forbidden
by the
+https://www.w3.org/TR/xml/#charsets[XML 1.0 specification]
+producing invalid XML output whenever a log message or MDC value contains such
characters.
+
+The impact depends on the StAX implementation in use:
+
+* *JRE built-in StAX:* Forbidden characters are silently written to the
output, producing malformed XML.
+Conforming parsers must reject such documents with a fatal error, which may
cause downstream log-processing systems to drop the affected records.
+* *Alternative StAX implementations* (e.g.,
https://github.com/FasterXML/woodstox[Woodstox], a transitive dependency of the
Jackson XML Dataformat module): An exception is thrown during the logging call,
and the log event is never delivered to its intended appender, only to Log4j's
internal status logger.]]></description>
+ <recommendation><![CDATA[Users are advised to upgrade to Apache Log4j
Core version `2.25.4`, which corrects this issue by sanitizing forbidden
characters before XML output.]]></recommendation>
+ <created>2026-04-10T11:53:17Z</created>
+ <published>2026-04-10T11:53:17Z</published>
+ <updated>2026-04-10T11:53:17Z</updated>
+ <credits>
+ <individuals>
+ <individual>
+ <name>Ap4sh (Samy Medjahed)</name>
+ </individual>
+ <individual>
+ <name>Ethicxz (Eliott Laurie)</name>
+ </individual>
+ <individual>
+ <name>jabaltarik1</name>
+ </individual>
+ </individuals>
+ </credits>
+ <affects>
+ <target>
+ <ref>log4j-core</ref>
+ <versions>
+ <version>
+
<range><![CDATA[vers:maven/>=2.0-alpha1|<2.25.4]]></range>
+ </version>
+ <version>
+
<range><![CDATA[vers:maven/>=3.0.0-alpha1|<=3.0.0-beta3]]></range>
+ </version>
+ </versions>
+ </target>
+ </affects>
+ </vulnerability>
+
+ <vulnerability>
+ <id>CVE-2026-34479</id>
+ <source>
+ <name>NVD</name>
+ <url>https://nvd.nist.gov/vuln/detail/CVE-2026-34479</url>
+ </source>
+ <ratings>
+ <rating>
+ <source>
+ <name>The Apache Software Foundation</name>
+ <url>
+
<![CDATA[https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N]]></url>
+ </source>
+ <score>6.9</score>
+ <severity>medium</severity>
+ <method>CVSSv4</method>
+
<vector>AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N</vector>
+ </rating>
+ </ratings>
+ <cwes>
+ <cwe>116</cwe>
+ </cwes>
+ <description><![CDATA[The `Log4j1XmlLayout` from the Apache Log4j
1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0
standard, producing malformed XML output.
+Conforming XML parsers are required to reject documents containing such
characters with a fatal error, which may cause downstream log processing
systems to drop or fail to index affected records.
+
+Two groups of users are affected:
+
+* Those using `Log4j1XmlLayout` directly in a Log4j Core 2 configuration file.
+* Those using the Log4j 1 configuration compatibility layer with
`org.apache.log4j.xml.XMLLayout` specified as the layout class.]]></description>
+ <recommendation><![CDATA[Users are advised to upgrade to Apache Log4j
1-to-Log4j 2 bridge version `2.25.4`, which corrects this issue.
+
+NOTE: The Apache Log4j 1-to-Log4j 2 bridge is deprecated and will not be
present in Log4j 3.
+Users are encouraged to consult the
+https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html[Log4j 1 to Log4j
2 migration guide],
+and specifically the section on eliminating reliance on the
bridge.]]></recommendation>
+ <created>2026-04-10T11:53:17Z</created>
+ <published>2026-04-10T11:53:17Z</published>
+ <updated>2026-04-10T11:53:17Z</updated>
+ <credits>
+ <individuals>
+ <individual>
+ <name>Ap4sh (Samy Medjahed)</name>
+ </individual>
+ <individual>
+ <name>Ethicxz (Eliott Laurie)</name>
+ </individual>
+ <individual>
+ <name>jabaltarik1</name>
+ </individual>
+ </individuals>
+ </credits>
+ <affects>
+ <target>
+ <ref>log4j-1.2-api</ref>
+ <versions>
+ <version>
+ <range><![CDATA[vers:maven/>=2.7|<2.25.4]]></range>
+ </version>
+ <version>
+
<range><![CDATA[vers:maven/>=3.0.0-alpha1|<=3.0.0-beta2]]></range>
+ </version>
+ </versions>
+ </target>
+ </affects>
+ </vulnerability>
+
+ <vulnerability>
+ <id>CVE-2026-34478</id>
+ <source>
+ <name>NVD</name>
+ <url>https://nvd.nist.gov/vuln/detail/CVE-2026-34478</url>
+ </source>
+ <ratings>
+ <rating>
+ <source>
+ <name>The Apache Software Foundation</name>
+ <url>
+
<![CDATA[https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N]]></url>
+ </source>
+ <score>6.9</score>
+ <severity>medium</severity>
+ <method>CVSSv4</method>
+
<vector>AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N</vector>
+ </rating>
+ </ratings>
+ <cwes>
+ <cwe>684</cwe>
+ <cwe>117</cwe>
+ </cwes>
+ <description><![CDATA[Apache Log4j Core's
+https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout[`Rfc5424Layout`],
+in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF
sequences due to undocumented renames of security-relevant configuration
attributes.
+
+Two distinct issues affect users of stream-based syslog services who configure
`Rfc5424Layout` directly:
+
+* The `newLineEscape` attribute was silently renamed, causing newline escaping
to stop working for users of TCP framing (RFC 6587), exposing them to CRLF
injection in log output.
+* The `useTlsMessageFormat` attribute was silently renamed, causing users of
TLS framing (RFC 5425) to be silently downgraded to unframed TCP (RFC 6587),
without newline escaping.
+
+Users of the `SyslogAppender` are not affected, as its configuration
attributes were not modified.]]></description>
+ <recommendation><![CDATA[Users are advised to upgrade to Apache Log4j
Core version `2.25.4`, which corrects this issue.]]></recommendation>
+ <created>2026-04-10T11:53:17Z</created>
+ <published>2026-04-10T11:53:17Z</published>
+ <updated>2026-04-10T11:53:17Z</updated>
+ <credits>
+ <individuals>
+ <individual>
+ <name>Samuli Leinonen</name>
+ </individual>
+ </individuals>
+ </credits>
+ <affects>
+ <target>
+ <ref>log4j-core</ref>
+ <versions>
+ <version>
+ <range><![CDATA[vers:maven/>=2.21.0|<2.25.4]]></range>
+ </version>
+ <version>
+
<range><![CDATA[vers:maven/>=3.0.0-beta1|<=3.0.0-beta3]]></range>
+ </version>
+ </versions>
+ </target>
+ </affects>
+ </vulnerability>
+
+ <vulnerability>
+ <id>CVE-2026-34477</id>
+ <source>
+ <name>NVD</name>
+ <url>https://nvd.nist.gov/vuln/detail/CVE-2026-34477</url>
+ </source>
+ <ratings>
+ <rating>
+ <source>
+ <name>The Apache Software Foundation</name>
+ <url>
+
<![CDATA[https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N]]></url>
+ </source>
+ <score>6.3</score>
+ <severity>medium</severity>
+ <method>CVSSv4</method>
+
<vector>AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N</vector>
+ </rating>
+ </ratings>
+ <cwes>
+ <cwe>297</cwe>
+ </cwes>
+ <description><![CDATA[The fix for CVE-2025-68161 was incomplete: it
addressed hostname verification only when enabled via the
+https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName[`log4j2.sslVerifyHostName`]
+system property, but not when configured through the
+https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName[`verifyHostName`]
+attribute of the `<Ssl>` element.
+
+Although the `verifyHostName` configuration attribute was introduced in Log4j
Core 2.12.0, it was silently ignored in all versions through 2.25.3, leaving
TLS connections vulnerable to interception regardless of the configured value.
+
+A network-based attacker may be able to perform a man-in-the-middle attack
when *all* of the following conditions are met:
+
+* An SMTP, Socket, or Syslog appender is in use.
+* TLS is configured via a nested `<Ssl>` element.
+* The attacker can present a certificate issued by a CA trusted by the
appender's configured trust store, or by the default Java trust store if none
is configured.
+
+This issue does not affect users of the HTTP appender, which uses a separate
+https://logging.apache.org/log4j/2.x/manual/appenders/network.html#HttpAppender-attr-verifyHostName[`verifyHostname`]
+attribute that was not subject to this bug and verifies host names by
default.]]></description>
+ <recommendation><![CDATA[Users are advised to upgrade to Apache Log4j
Core version `2.25.4`, which corrects this issue.]]></recommendation>
+ <created>2026-04-10T11:53:17Z</created>
+ <published>2026-04-10T11:53:17Z</published>
+ <updated>2026-04-10T11:53:17Z</updated>
+ <credits>
+ <individuals>
+ <individual>
+ <name>Samuli Leinonen</name>
+ </individual>
+ <individual>
+ <name>Naresh Kandula</name>
+ </individual>
+ <individual>
+ <name>Vitaly Simonovich</name>
+ </individual>
+ <individual>
+ <name>Raijuna</name>
+ </individual>
+ <individual>
+ <name>Danish Siddiqui</name>
+ </individual>
+ <individual>
+ <name>Markus Magnuson</name>
+ </individual>
+ <individual>
+ <name>Haruki Oyama</name>
+ </individual>
+ </individuals>
+ </credits>
+ <affects>
+ <target>
+ <ref>log4j-core</ref>
+ <versions>
+ <version>
+ <range><![CDATA[vers:maven/>=2.12.0|<2.25.4]]></range>
+ </version>
+ <version>
+
<range><![CDATA[vers:maven/>=3.0.0-alpha1|<=3.0.0-beta3]]></range>
+ </version>
+ </versions>
+ </target>
+ </affects>
+ </vulnerability>
+
<vulnerability>
<id>CVE-2025-68161</id>
<source>
@@ -107,7 +578,7 @@ For earlier versions, the risk can be reduced by carefully
restricting the trust
<updated>2025-12-18T16:09:38Z</updated>
<affects>
<target>
-
<ref>pkg:maven/org.apache.logging.log4j/log4j-core?type=jar</ref>
+ <ref>log4j-core</ref>
<versions>
<version>
<range><![CDATA[vers:maven/>=2.0-beta9|<2.25.3]]></range>
@@ -147,7 +618,7 @@ This may prevent applications that consume these logs from
correctly interpretin
<![CDATA[Users are recommended to upgrade to version `1.5.0`, which
fixes the issue.]]></recommendation>
<created>2025-08-22T07:31:10Z</created>
<published>2025-08-22T07:31:10Z</published>
- <updated>2025-08-22T07:31:10Z</updated>
+ <updated>2026-04-10T11:53:17Z</updated>
<credits>
<organizations>
<organization>
@@ -158,10 +629,18 @@ This may prevent applications that consume these logs
from correctly interpretin
</credits>
<affects>
<target>
- <ref>logcxx</ref>
+ <ref>log4cxx</ref>
<versions>
<version>
- <range><![CDATA[vers:semver>=0.11.0|<1.5.0]]></range>
+ <range><![CDATA[vers:semver/>=0.11.0|<1.5.0]]></range>
+ </version>
+ </versions>
+ </target>
+ <target>
+ <ref>log4cxx-conan</ref>
+ <versions>
+ <version>
+ <range><![CDATA[vers:semver/>=0.11.0|<1.5.0]]></range>
</version>
</versions>
</target>
@@ -192,7 +671,7 @@ This may prevent applications that consume these logs from
correctly interpretin
<cwe>117</cwe>
</cwes>
<description><![CDATA[When using `HTMLLayout`, logger names are not
properly escaped when writing out to the HTML file.
-If untrusted data is used to retrieve the name of a logger, an attacker could
theoretically inject HTML or Javascript in order to hide information from logs
or steal data from the user.
+If untrusted data is used to retrieve the name of a logger, an attacker could
theoretically inject HTML or JavaScript in order to hide information from logs
or steal data from the user.
In order to activate this, the following sequence must occur:
* Log4cxx is configured to use `HTMLLayout`.
@@ -205,7 +684,7 @@ Because logger names are generally constant strings, we
assess the impact to use
<![CDATA[Users are recommended to upgrade to version `1.5.0`, which
fixes the issue.]]></recommendation>
<created>2025-08-22T07:31:10Z</created>
<published>2025-08-22T07:31:10Z</published>
- <updated>2025-08-22T07:31:10Z</updated>
+ <updated>2026-04-10T11:53:17Z</updated>
<credits>
<organizations>
<organization>
@@ -216,10 +695,18 @@ Because logger names are generally constant strings, we
assess the impact to use
</credits>
<affects>
<target>
- <ref>logcxx</ref>
+ <ref>log4cxx</ref>
+ <versions>
+ <version>
+ <range><![CDATA[vers:semver/<1.5.0]]></range>
+ </version>
+ </versions>
+ </target>
+ <target>
+ <ref>log4cxx-conan</ref>
<versions>
<version>
- <range><![CDATA[vers:semver<1.5.0]]></range>
+ <range><![CDATA[vers:semver/<1.5.0]]></range>
</version>
</versions>
</target>
@@ -259,7 +746,7 @@ In prior releases confirm that if the JDBC Appender is
being used it is not conf
<updated>2025-08-17T11:18:06Z</updated>
<affects>
<target>
- <ref>pkg:maven/org.apache.logging.log4j/log4j-core?type=jar</ref>
+ <ref>log4j-core</ref>
<versions>
<version>
<range><![CDATA[vers:maven/>=2.0-beta7|<2.3.1]]></range>
@@ -332,7 +819,7 @@ Note that this mitigation is insufficient in releases older
than `2.12.2` (for J
</credits>
<affects>
<target>
- <ref>pkg:maven/org.apache.logging.log4j/log4j-core?type=jar</ref>
+ <ref>log4j-core</ref>
<versions>
<version>
<range><![CDATA[vers:maven/>=2.0-alpha1|<2.3.1]]></range>
@@ -416,7 +903,7 @@ Any other Lookup could also be included in a Thread Context
Map variable and pos
</credits>
<affects>
<target>
- <ref>pkg:maven/org.apache.logging.log4j/log4j-core?type=jar</ref>
+ <ref>log4j-core</ref>
<versions>
<version>
<range><![CDATA[vers:maven/>=2.0-beta9|<2.3.1]]></range>
@@ -487,7 +974,7 @@ An attacker who can control log messages or log message
parameters can execute a
</credits>
<affects>
<target>
- <ref>pkg:maven/org.apache.logging.log4j/log4j-core?type=jar</ref>
+ <ref>log4j-core</ref>
<versions>
<version>
<range><![CDATA[vers:maven/>=2.0-beta9|<2.3.1]]></range>
@@ -556,7 +1043,7 @@ Alternatively, users can set the
`mail.smtp.ssl.checkserveridentity` system prop
</credits>
<affects>
<target>
- <ref>pkg:maven/org.apache.logging.log4j/log4j-core?type=jar</ref>
+ <ref>log4j-core</ref>
<versions>
<version>
<range><![CDATA[vers:maven/>=2.0-beta1|<2.3.2]]></range>
@@ -626,7 +1113,7 @@ Java 6 users should avoid using the TCP or UDP socket
server classes, or they ca
</credits>
<affects>
<target>
- <ref>pkg:maven/org.apache.logging.log4j/log4j-core?type=jar</ref>
+ <ref>log4j-core</ref>
<versions>
<version>
<range><![CDATA[vers:maven/>=2.0-alpha1|<2.8.2]]></range>
diff --git a/security.html b/security.html
index f130c639..39f6fbb6 100644
--- a/security.html
+++ b/security.html
@@ -551,6 +551,569 @@ We choose to pool all information on this one page,
allowing easy searching for
</table>
</div>
<div class="sect2">
+<h3 id="CVE-2026-40023"><a class="anchor" href="#CVE-2026-40023"></a><a
href="https://nvd.nist.gov/vuln/detail/CVE-2026-40023";>CVE-2026-40023</a></h3>
+<table class="tableblock frame-all grid-all stretch">
+<colgroup>
+<col style="width: 16.6666%;">
+<col style="width: 83.3334%;">
+</colgroup>
+<tbody>
+<tr>
+<th class="tableblock halign-left valign-top"><p
class="tableblock">Summary</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Silent log
event loss in <code>XMLLayout</code> due to unescaped XML 1.0 forbidden
characters</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 4.x
Score & Vector</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">6.3 MEDIUM
(CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N)</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Components
affected</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock">Log4cxx</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
affected</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>[0,
1.7.0)</code></p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
fixed</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>1.7.0</code></p></td>
+</tr>
+</tbody>
+</table>
+<div class="sect3">
+<h4 id="CVE-2026-40023-description"><a class="anchor"
href="#CVE-2026-40023-description"></a>Description</h4>
+<div class="paragraph">
+<p>Apache Log4cxx’s
+<a
href="https://logging.apache.org/log4cxx/1.7.0/classlog4cxx_1_1xml_1_1XMLLayout.html";><code>XMLLayout</code></a>,
+in versions before 1.7.0, fails to sanitize characters forbidden by the
+<a href="https://www.w3.org/TR/xml/#charsets";>XML 1.0 specification</a>
+in log messages, NDC, and MDC property keys and values, producing invalid XML
output.
+Conforming XML parsers must reject such documents with a fatal error, which
may cause downstream log processing systems to drop or fail to index affected
records.</p>
+</div>
+<div class="paragraph">
+<p>An attacker who can influence logged data can exploit this to suppress
individual log records, impairing audit trails and detection of malicious
activity.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2026-40023-remediation"><a class="anchor"
href="#CVE-2026-40023-remediation"></a>Remediation</h4>
+<div class="paragraph">
+<p>Users are advised to upgrade to Apache Log4cxx version <code>1.7.0</code>,
which fixes this issue.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2026-40023-credits"><a class="anchor"
href="#CVE-2026-40023-credits"></a>Credits</h4>
+<div class="paragraph">
+<p>This issue was discovered by Olawale Titiloye.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2026-40023-references"><a class="anchor"
href="#CVE-2026-40023-references"></a>References</h4>
+<div class="ulist">
+<ul>
+<li>
+<p><a
href="https://nvd.nist.gov/vuln/detail/CVE-2026-40023";>CVE-2026-40023</a></p>
+</li>
+<li>
+<p><a href="https://github.com/apache/logging-log4cxx/pull/609";>Pull request
that fixes the issue</a></p>
+</li>
+</ul>
+</div>
+</div>
+</div>
+<div class="sect2">
+<h3 id="CVE-2026-40021"><a class="anchor" href="#CVE-2026-40021"></a><a
href="https://nvd.nist.gov/vuln/detail/CVE-2026-40021";>CVE-2026-40021</a></h3>
+<table class="tableblock frame-all grid-all stretch">
+<colgroup>
+<col style="width: 16.6666%;">
+<col style="width: 83.3334%;">
+</colgroup>
+<tbody>
+<tr>
+<th class="tableblock halign-left valign-top"><p
class="tableblock">Summary</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Silent log
event loss in <code>XmlLayout</code> and <code>XmlLayoutSchemaLog4J</code> due
to unescaped XML 1.0 forbidden characters</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 4.x
Score & Vector</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">6.3 MEDIUM
(CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N)</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Components
affected</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock">Log4net</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
affected</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>[0,
3.3.0)</code></p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
fixed</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>3.3.0</code></p></td>
+</tr>
+</tbody>
+</table>
+<div class="sect3">
+<h4 id="CVE-2026-40021-description"><a class="anchor"
href="#CVE-2026-40021-description"></a>Description</h4>
+<div class="paragraph">
+<p>Apache Log4net’s
+<a
href="https://logging.apache.org/log4net/manual/configuration/layouts.html#layout-list";><code>XmlLayout</code></a>
+and
+<a
href="https://logging.apache.org/log4net/manual/configuration/layouts.html#layout-list";><code>XmlLayoutSchemaLog4J</code></a>,
+in versions before 3.3.0, fail to sanitize characters forbidden by the
+<a href="https://www.w3.org/TR/xml/#charsets";>XML 1.0 specification</a>
+in MDC property keys and values, as well as the identity field that may carry
attacker-influenced data.
+This causes an exception during serialization and the silent loss of the
affected log event.</p>
+</div>
+<div class="paragraph">
+<p>An attacker who can influence any of these fields can exploit this to
suppress individual log records, impairing audit trails and detection of
malicious activity.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2026-40021-remediation"><a class="anchor"
href="#CVE-2026-40021-remediation"></a>Remediation</h4>
+<div class="paragraph">
+<p>Users are advised to upgrade to Apache Log4net version <code>3.3.0</code>,
which fixes this issue.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2026-40021-credits"><a class="anchor"
href="#CVE-2026-40021-credits"></a>Credits</h4>
+<div class="paragraph">
+<p>This issue was discovered by f00dat.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2026-40021-references"><a class="anchor"
href="#CVE-2026-40021-references"></a>References</h4>
+<div class="ulist">
+<ul>
+<li>
+<p><a
href="https://nvd.nist.gov/vuln/detail/CVE-2026-40021";>CVE-2026-40021</a></p>
+</li>
+<li>
+<p><a href="https://github.com/apache/logging-log4net/pull/280";>Pull request
that fixes the issue</a></p>
+</li>
+</ul>
+</div>
+</div>
+</div>
+<div class="sect2">
+<h3 id="CVE-2026-34481"><a class="anchor" href="#CVE-2026-34481"></a><a
href="https://nvd.nist.gov/vuln/detail/CVE-2026-34481";>CVE-2026-34481</a></h3>
+<table class="tableblock frame-all grid-all stretch">
+<colgroup>
+<col style="width: 16.6666%;">
+<col style="width: 83.3334%;">
+</colgroup>
+<tbody>
+<tr>
+<th class="tableblock halign-left valign-top"><p
class="tableblock">Summary</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Improper
serialization of non-finite floating-point values in
<code>JsonTemplateLayout</code></p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 4.x
Score & Vector</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">6.3 MEDIUM
(CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N)</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Components
affected</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>log4j-layout-template-json</code></p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
affected</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>[2.14.0, 2.25.4) ∪ [3.0.0-alpha1,
3.0.0-beta3]</code></p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
fixed</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>2.25.4</code></p></td>
+</tr>
+</tbody>
+</table>
+<div class="sect3">
+<h4 id="CVE-2026-34481-description"><a class="anchor"
href="#CVE-2026-34481-description"></a>Description</h4>
+<div class="paragraph">
+<p>Apache Log4j’s
+<a
href="https://logging.apache.org/log4j/2.x/manual/json-template-layout.html";><code>JsonTemplateLayout</code></a>,
+in versions up to and including 2.25.3, produces invalid JSON output when log
events contain non-finite floating-point values (<code>NaN</code>,
<code>Infinity</code>, or <code>-Infinity</code>), which are prohibited by RFC
8259.
+This may cause downstream log processing systems to reject or fail to index
affected records.</p>
+</div>
+<div class="paragraph">
+<p>An attacker can exploit this issue only if both of the following conditions
are met:</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p>The application uses <code>JsonTemplateLayout</code>.</p>
+</li>
+<li>
+<p>The application logs a <code>MapMessage</code> containing an
attacker-controlled floating-point value.</p>
+</li>
+</ul>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2026-34481-remediation"><a class="anchor"
href="#CVE-2026-34481-remediation"></a>Remediation</h4>
+<div class="paragraph">
+<p>Users are advised to upgrade to Apache Log4j JSON Template Layout version
<code>2.25.4</code>, which corrects this issue.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2026-34481-credits"><a class="anchor"
href="#CVE-2026-34481-credits"></a>Credits</h4>
+<div class="paragraph">
+<p>This issue was discovered by Ap4sh (Samy Medjahed) and Ethicxz (Eliott
Laurie).</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2026-34481-references"><a class="anchor"
href="#CVE-2026-34481-references"></a>References</h4>
+<div class="ulist">
+<ul>
+<li>
+<p><a
href="https://nvd.nist.gov/vuln/detail/CVE-2026-34481";>CVE-2026-34481</a></p>
+</li>
+<li>
+<p><a href="https://github.com/apache/logging-log4j2/pull/4080";>Pull request
that fixes the issue</a></p>
+</li>
+</ul>
+</div>
+</div>
+</div>
+<div class="sect2">
+<h3 id="CVE-2026-34480"><a class="anchor" href="#CVE-2026-34480"></a><a
href="https://nvd.nist.gov/vuln/detail/CVE-2026-34480";>CVE-2026-34480</a></h3>
+<table class="tableblock frame-all grid-all stretch">
+<colgroup>
+<col style="width: 16.6666%;">
+<col style="width: 83.3334%;">
+</colgroup>
+<tbody>
+<tr>
+<th class="tableblock halign-left valign-top"><p
class="tableblock">Summary</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Silent log
event loss in <code>XmlLayout</code> due to unescaped XML 1.0 forbidden
characters</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 4.x
Score & Vector</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">6.9 MEDIUM
(CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N)</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Components
affected</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Log4j
Core</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
affected</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>[2.0-alpha1, 2.25.4) ∪ [3.0.0-alpha1,
3.0.0-beta3]</code></p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
fixed</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>2.25.4</code></p></td>
+</tr>
+</tbody>
+</table>
+<div class="sect3">
+<h4 id="CVE-2026-34480-description"><a class="anchor"
href="#CVE-2026-34480-description"></a>Description</h4>
+<div class="paragraph">
+<p>Apache Log4j Core’s
+<a
href="https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout";><code>XmlLayout</code></a>,
+in versions up to and including 2.25.3, fails to sanitize characters forbidden
by the
+<a href="https://www.w3.org/TR/xml/#charsets";>XML 1.0 specification</a>
+producing invalid XML output whenever a log message or MDC value contains such
characters.</p>
+</div>
+<div class="paragraph">
+<p>The impact depends on the StAX implementation in use:</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p><strong>JRE built-in StAX:</strong> Forbidden characters are silently
written to the output, producing malformed XML.
+Conforming parsers must reject such documents with a fatal error, which may
cause downstream log-processing systems to drop the affected records.</p>
+</li>
+<li>
+<p><strong>Alternative StAX implementations</strong> (e.g., <a
href="https://github.com/FasterXML/woodstox";>Woodstox</a>, a transitive
dependency of the Jackson XML Dataformat module): An exception is thrown during
the logging call, and the log event is never delivered to its intended
appender, only to Log4j’s internal status logger.</p>
+</li>
+</ul>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2026-34480-remediation"><a class="anchor"
href="#CVE-2026-34480-remediation"></a>Remediation</h4>
+<div class="paragraph">
+<p>Users are advised to upgrade to Apache Log4j Core version
<code>2.25.4</code>, which corrects this issue by sanitizing forbidden
characters before XML output.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2026-34480-credits"><a class="anchor"
href="#CVE-2026-34480-credits"></a>Credits</h4>
+<div class="paragraph">
+<p>This issue was originally reported by Ap4sh (Samy Medjahed) and Ethicxz
(Eliott Laurie), and independently reported by jabaltarik1.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2026-34480-references"><a class="anchor"
href="#CVE-2026-34480-references"></a>References</h4>
+<div class="ulist">
+<ul>
+<li>
+<p><a
href="https://nvd.nist.gov/vuln/detail/CVE-2026-34480";>CVE-2026-34480</a></p>
+</li>
+<li>
+<p><a href="https://github.com/apache/logging-log4j2/pull/4077";>Pull request
that fixes the issue</a></p>
+</li>
+</ul>
+</div>
+</div>
+</div>
+<div class="sect2">
+<h3 id="CVE-2026-34479"><a class="anchor" href="#CVE-2026-34479"></a><a
href="https://nvd.nist.gov/vuln/detail/CVE-2026-34479";>CVE-2026-34479</a></h3>
+<table class="tableblock frame-all grid-all stretch">
+<colgroup>
+<col style="width: 16.6666%;">
+<col style="width: 83.3334%;">
+</colgroup>
+<tbody>
+<tr>
+<th class="tableblock halign-left valign-top"><p
class="tableblock">Summary</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Silent log
event loss in <code>Log4j1XmlLayout</code> due to unescaped XML 1.0 forbidden
characters</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 4.x
Score & Vector</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">6.9 MEDIUM
(CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N)</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Components
affected</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>log4j-1.2-api</code></p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
affected</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>[2.7, 2.25.4) ∪ [3.0.0-alpha1,
3.0.0-beta2]</code></p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
fixed</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>2.25.4</code></p></td>
+</tr>
+</tbody>
+</table>
+<div class="sect3">
+<h4 id="CVE-2026-34479-description"><a class="anchor"
href="#CVE-2026-34479-description"></a>Description</h4>
+<div class="paragraph">
+<p>The <code>Log4j1XmlLayout</code> from the Apache Log4j 1-to-Log4j 2 bridge
fails to escape characters forbidden by the XML 1.0 standard, producing
malformed XML output.
+Conforming XML parsers are required to reject documents containing such
characters with a fatal error, which may cause downstream log processing
systems to drop or fail to index affected records.</p>
+</div>
+<div class="paragraph">
+<p>Two groups of users are affected:</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p>Those using <code>Log4j1XmlLayout</code> directly in a Log4j Core 2
configuration file.</p>
+</li>
+<li>
+<p>Those using the Log4j 1 configuration compatibility layer with
<code>org.apache.log4j.xml.XMLLayout</code> specified as the layout class.</p>
+</li>
+</ul>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2026-34479-remediation"><a class="anchor"
href="#CVE-2026-34479-remediation"></a>Remediation</h4>
+<div class="paragraph">
+<p>Users are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge version
<code>2.25.4</code>, which corrects this issue.</p>
+</div>
+<div class="admonitionblock note">
+<table>
+<tr>
+<td class="icon">
+<i class="fa icon-note" title="Note"></i>
+</td>
+<td class="content">
+<div class="paragraph">
+<p>The Apache Log4j 1-to-Log4j 2 bridge is deprecated and will not be present
in Log4j 3.
+Users are encouraged to consult the
+<a href="https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html";>Log4j
1 to Log4j 2 migration guide</a>,
+and specifically the section on eliminating reliance on the bridge.</p>
+</div>
+</td>
+</tr>
+</table>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2026-34479-credits"><a class="anchor"
href="#CVE-2026-34479-credits"></a>Credits</h4>
+<div class="paragraph">
+<p>This issue was originally reported by Ap4sh (Samy Medjahed) and Ethicxz
(Eliott Laurie), and independently reported by jabaltarik1.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2026-34479-references"><a class="anchor"
href="#CVE-2026-34479-references"></a>References</h4>
+<div class="ulist">
+<ul>
+<li>
+<p><a
href="https://nvd.nist.gov/vuln/detail/CVE-2026-34479";>CVE-2026-34479</a></p>
+</li>
+<li>
+<p><a href="https://github.com/apache/logging-log4j2/pull/4078";>Pull request
that fixes the issue</a></p>
+</li>
+</ul>
+</div>
+</div>
+</div>
+<div class="sect2">
+<h3 id="CVE-2026-34478"><a class="anchor" href="#CVE-2026-34478"></a><a
href="https://nvd.nist.gov/vuln/detail/CVE-2026-34478";>CVE-2026-34478</a></h3>
+<table class="tableblock frame-all grid-all stretch">
+<colgroup>
+<col style="width: 16.6666%;">
+<col style="width: 83.3334%;">
+</colgroup>
+<tbody>
+<tr>
+<th class="tableblock halign-left valign-top"><p
class="tableblock">Summary</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Log
injection in <code>Rfc5424Layout</code> due to silent configuration
incompatibility</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 4.x
Score & Vector</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">6.9 MEDIUM
(CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N)</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Components
affected</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Log4j
Core</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
affected</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>[2.21.0, 2.25.4) ∪ [3.0.0-beta1,
3.0.0-beta3]</code></p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
fixed</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>2.25.4</code></p></td>
+</tr>
+</tbody>
+</table>
+<div class="sect3">
+<h4 id="CVE-2026-34478-description"><a class="anchor"
href="#CVE-2026-34478-description"></a>Description</h4>
+<div class="paragraph">
+<p>Apache Log4j Core’s
+<a
href="https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout";><code>Rfc5424Layout</code></a>,
+in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF
sequences due to undocumented renames of security-relevant configuration
attributes.</p>
+</div>
+<div class="paragraph">
+<p>Two distinct issues affect users of stream-based syslog services who
configure <code>Rfc5424Layout</code> directly:</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p>The <code>newLineEscape</code> attribute was silently renamed, causing
newline escaping to stop working for users of TCP framing (RFC 6587), exposing
them to CRLF injection in log output.</p>
+</li>
+<li>
+<p>The <code>useTlsMessageFormat</code> attribute was silently renamed,
causing users of TLS framing (RFC 5425) to be silently downgraded to unframed
TCP (RFC 6587), without newline escaping.</p>
+</li>
+</ul>
+</div>
+<div class="paragraph">
+<p>Users of the <code>SyslogAppender</code> are not affected, as its
configuration attributes were not modified.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2026-34478-remediation"><a class="anchor"
href="#CVE-2026-34478-remediation"></a>Remediation</h4>
+<div class="paragraph">
+<p>Users are advised to upgrade to Apache Log4j Core version
<code>2.25.4</code>, which corrects this issue.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2026-34478-credits"><a class="anchor"
href="#CVE-2026-34478-credits"></a>Credits</h4>
+<div class="paragraph">
+<p>This issue was discovered by Samuli Leinonen.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2026-34478-references"><a class="anchor"
href="#CVE-2026-34478-references"></a>References</h4>
+<div class="ulist">
+<ul>
+<li>
+<p><a
href="https://nvd.nist.gov/vuln/detail/CVE-2026-34478";>CVE-2026-34478</a></p>
+</li>
+<li>
+<p><a href="https://github.com/apache/logging-log4j2/pull/4074";>Pull request
that fixes the issue</a></p>
+</li>
+</ul>
+</div>
+</div>
+</div>
+<div class="sect2">
+<h3 id="CVE-2026-34477"><a class="anchor" href="#CVE-2026-34477"></a><a
href="https://nvd.nist.gov/vuln/detail/CVE-2026-34477";>CVE-2026-34477</a></h3>
+<table class="tableblock frame-all grid-all stretch">
+<colgroup>
+<col style="width: 16.6666%;">
+<col style="width: 83.3334%;">
+</colgroup>
+<tbody>
+<tr>
+<th class="tableblock halign-left valign-top"><p
class="tableblock">Summary</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>verifyHostName</code> attribute silently ignored in
TLS configuration</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 4.x
Score & Vector</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">6.3 MEDIUM
(CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N)</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Components
affected</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Log4j
Core</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
affected</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>[2.12.0, 2.25.4) ∪ [3.0.0-alpha1,
3.0.0-beta3]</code></p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
fixed</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>2.25.4</code></p></td>
+</tr>
+</tbody>
+</table>
+<div class="sect3">
+<h4 id="CVE-2026-34477-description"><a class="anchor"
href="#CVE-2026-34477-description"></a>Description</h4>
+<div class="paragraph">
+<p>The fix for <a href="#CVE-2025-68161">CVE-2025-68161</a> was incomplete: it
addressed hostname verification only when enabled via the
+<a
href="https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName";><code>log4j2.sslVerifyHostName</code></a>
+system property, but not when configured through the
+<a
href="https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName";><code>verifyHostName</code></a>
+attribute of the <code><Ssl></code> element.</p>
+</div>
+<div class="paragraph">
+<p>Although the <code>verifyHostName</code> configuration attribute was
introduced in Log4j Core 2.12.0, it was silently ignored in all versions
through 2.25.3, leaving TLS connections vulnerable to interception regardless
of the configured value.</p>
+</div>
+<div class="paragraph">
+<p>A network-based attacker may be able to perform a man-in-the-middle attack
when <strong>all</strong> of the following conditions are met:</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p>An SMTP, Socket, or Syslog appender is in use.</p>
+</li>
+<li>
+<p>TLS is configured via a nested <code><Ssl></code> element.</p>
+</li>
+<li>
+<p>The attacker can present a certificate issued by a CA trusted by the
appender’s configured trust store, or by the default Java trust store if
none is configured.</p>
+</li>
+</ul>
+</div>
+<div class="paragraph">
+<p>This issue does not affect users of the HTTP appender, which uses a separate
+<a
href="https://logging.apache.org/log4j/2.x/manual/appenders/network.html#HttpAppender-attr-verifyHostName";><code>verifyHostname</code></a>
+attribute that was not subject to this bug and verifies host names by
default.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2026-34477-remediation"><a class="anchor"
href="#CVE-2026-34477-remediation"></a>Remediation</h4>
+<div class="paragraph">
+<p>Users are advised to upgrade to Apache Log4j Core version
<code>2.25.4</code>, which corrects this issue.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2026-34477-credits"><a class="anchor"
href="#CVE-2026-34477-credits"></a>Credits</h4>
+<div class="paragraph">
+<p>This issue was originally reported by Samuli Leinonen and independently
reported by Naresh Kandula, Vitaly Simonovich, Raijuna, Danish Siddiqui
(djvirus), Markus Magnuson, and Haruki Oyama (Waseda University).</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2026-34477-references"><a class="anchor"
href="#CVE-2026-34477-references"></a>References</h4>
+<div class="ulist">
+<ul>
+<li>
+<p><a
href="https://nvd.nist.gov/vuln/detail/CVE-2026-34477";>CVE-2026-34477</a></p>
+</li>
+<li>
+<p><a href="https://github.com/apache/logging-log4j2/pull/4075";>Pull request
that fixes the issue</a></p>
+</li>
+</ul>
+</div>
+</div>
+</div>
+<div class="sect2">
<h3 id="CVE-2025-68161"><a class="anchor" href="#CVE-2025-68161"></a><a
href="https://nvd.nist.gov/vuln/detail/CVE-2025-68161";>CVE-2025-68161</a></h3>
<table class="tableblock frame-all grid-all stretch">
<colgroup>
@@ -572,7 +1135,7 @@ We choose to pool all information on this one page,
allowing easy searching for
</tr>
<tr>
<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
affected</p></th>
-<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>[2.0-beta9, 2.25.3)</code></p></td>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>[2.0-beta9, 2.25.3) ∪ [3.0.0-alpha1,
3.0.0-beta3]</code></p></td>
</tr>
<tr>
<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
fixed</p></th>
@@ -583,7 +1146,7 @@ We choose to pool all information on this one page,
allowing easy searching for
<div class="sect3">
<h4 id="CVE-2025-68161-description"><a class="anchor"
href="#CVE-2025-68161-description"></a>Description</h4>
<div class="paragraph">
-<p>The Socket Appender in Log4j Core versions <code>2.0-beta9</code> through
<code>2.25.2</code> does not perform TLS hostname verification of the peer
certificate, even when the
+<p>The Socket Appender in affected Log4j Core versions does not perform TLS
hostname verification of the peer certificate, even when the
<a
href="https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName";><code>verifyHostName</code></a>
configuration attribute or the
<a
href="https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName";><code>log4j2.sslVerifyHostName</code></a>
@@ -750,7 +1313,7 @@ This may prevent applications that consume these logs from
correctly interpretin
<h4 id="CVE-2025-54812-description"><a class="anchor"
href="#CVE-2025-54812-description"></a>Description</h4>
<div class="paragraph">
<p>When using <code>HTMLLayout</code>, logger names are not properly escaped
when writing out to the HTML file.
-If untrusted data is used to retrieve the name of a logger, an attacker could
theoretically inject HTML or Javascript in order to hide information from logs
or steal data from the user.
+If untrusted data is used to retrieve the name of a logger, an attacker could
theoretically inject HTML or JavaScript in order to hide information from logs
or steal data from the user.
In order to activate this, the following sequence must occur:</p>
</div>
<div class="ulist">
diff --git a/sitemap.xml b/sitemap.xml
index b6929a55..d76fd579 100644
--- a/sitemap.xml
+++ b/sitemap.xml
@@ -2,86 +2,86 @@
<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9";>
<url>
<loc>https://logging.apache.org/blog/20231117-flume-joins-logging-services.html</loc>
-<lastmod>2026-03-25T19:56:03.535Z</lastmod>
+<lastmod>2026-04-10T14:36:40.249Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/blog/20231128-new-pmc-member.html</loc>
-<lastmod>2026-03-25T19:56:03.535Z</lastmod>
+<lastmod>2026-04-10T14:36:40.249Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/blog/20231202-apache-common-logging-1.3.0.html</loc>
-<lastmod>2026-03-25T19:56:03.535Z</lastmod>
+<lastmod>2026-04-10T14:36:40.249Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/blog/20231214-announcing-support-from-the-stf.html</loc>
-<lastmod>2026-03-25T19:56:03.535Z</lastmod>
+<lastmod>2026-04-10T14:36:40.249Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/blog/20231218-20-years-of-innovation.html</loc>
-<lastmod>2026-03-25T19:56:03.535Z</lastmod>
+<lastmod>2026-04-10T14:36:40.249Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/blog/20240725-Log4j-At-Community-Over-Code-2024.html</loc>
-<lastmod>2026-03-25T19:56:03.535Z</lastmod>
+<lastmod>2026-04-10T14:36:40.249Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/blog/20240808-welcome-to-the-pmc-jan.html</loc>
-<lastmod>2026-03-25T19:56:03.535Z</lastmod>
+<lastmod>2026-04-10T14:36:40.249Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/blog/20240812-log4j-bug-bounty.html</loc>
-<lastmod>2026-03-25T19:56:03.535Z</lastmod>
+<lastmod>2026-04-10T14:36:40.249Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/blog/20250728-introduction-to-vex-files.html</loc>
-<lastmod>2026-03-25T19:56:03.535Z</lastmod>
+<lastmod>2026-04-10T14:36:40.249Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/blog/index.html</loc>
-<lastmod>2026-03-25T19:56:03.535Z</lastmod>
+<lastmod>2026-04-10T14:36:40.249Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/charter.html</loc>
-<lastmod>2026-03-25T19:56:03.535Z</lastmod>
+<lastmod>2026-04-10T14:36:40.249Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/download.html</loc>
-<lastmod>2026-03-25T19:56:03.535Z</lastmod>
+<lastmod>2026-04-10T14:36:40.249Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/guidelines.html</loc>
-<lastmod>2026-03-25T19:56:03.535Z</lastmod>
+<lastmod>2026-04-10T14:36:40.249Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/index.html</loc>
-<lastmod>2026-03-25T19:56:03.535Z</lastmod>
+<lastmod>2026-04-10T14:36:40.249Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/processes.html</loc>
-<lastmod>2026-03-25T19:56:03.535Z</lastmod>
+<lastmod>2026-04-10T14:36:40.249Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/security.html</loc>
-<lastmod>2026-03-25T19:56:03.535Z</lastmod>
+<lastmod>2026-04-10T14:36:40.249Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/security/faq.html</loc>
-<lastmod>2026-03-25T19:56:03.535Z</lastmod>
+<lastmod>2026-04-10T14:36:40.249Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/support.html</loc>
-<lastmod>2026-03-25T19:56:03.535Z</lastmod>
+<lastmod>2026-04-10T14:36:40.249Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/team-list.html</loc>
-<lastmod>2026-03-25T19:56:03.535Z</lastmod>
+<lastmod>2026-04-10T14:36:40.249Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/what-is-logging.html</loc>
-<lastmod>2026-03-25T19:56:03.535Z</lastmod>
+<lastmod>2026-04-10T14:36:40.249Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/xml/ns/index.html</loc>
-<lastmod>2026-03-25T19:56:03.535Z</lastmod>
+<lastmod>2026-04-10T14:36:40.249Z</lastmod>
</url>
</urlset>
