Source: apache-log4j1.2 X-Debbugs-CC: [email protected] Severity: important Tags: security
Hi, The following vulnerability was published for apache-log4j1.2. CVE-2026-34480[0]: | Apache Log4j Core's XmlLayout | https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , | in versions up to and including 2.25.3, fails to sanitize characters | forbidden by the XML 1.0 specification | https://www.w3.org/TR/xml/#charsets producing invalid XML output | whenever a log message or MDC value contains such characters. The | impact depends on the StAX implementation in use: * JRE built-in | StAX: Forbidden characters are silently written to the output, | producing malformed XML. Conforming parsers must reject such | documents with a fatal error, which may cause downstream log- | processing systems to drop the affected records. * Alternative | StAX implementations (e.g., Woodstox | https://github.com/FasterXML/woodstox , a transitive dependency of | the Jackson XML Dataformat module): An exception is thrown during | the logging call, and the log event is never delivered to its | intended appender, only to Log4j's internal status logger. Users | are advised to upgrade to Apache Log4j Core 2.25.4, which corrects | this issue by sanitizing forbidden characters before XML output. It's not entirely clear if 1.2 is also affected, please check: https://lists.apache.org/thread/n34zdv00gbkdbzt2rx9rf5mqz6lhopcv https://logging.apache.org/security.html#CVE-2026-34481 https://github.com/apache/logging-log4j2/pull/4080 Fixed by: https://github.com/apache/logging-log4j2/commit/2c4dd1db372c59ad73aca88e281635fe30072268 (rel/2.25.4) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-34480 https://www.cve.org/CVERecord?id=CVE-2026-34480 Please adjust the affected versions in the BTS as needed.
