[jira] [Commented] (GEODE-10580) Remediation of CVE-2026-34478

Mon, 27 Apr 2026 03:03:08 -0700 


    [ 
https://issues.apache.org/jira/browse/GEODE-10580?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18076525#comment-18076525
 ] 

ASF subversion and git services commented on GEODE-10580:
---------------------------------------------------------

Commit de9f4fa95c49b073478274f927f5e3a2d9e2fe6c in geode's branch 
refs/heads/support/1.15 from Jinwoo Hwang
[ https://gitbox.apache.org/repos/asf?p=geode.git;h=de9f4fa95c ]

GEODE-10580: Remediate CVE-2026-34478 - Improper Output Neutralization for Logs 
(#8006)

Upgrade Apache Log4j from 2.25.3 to 2.25.4 on support/1.15 to remediate
CVE-2026-34478 (CVSS 6.9 MEDIUM). Also corrects stale Log4j version
references (2.17.2, 2.12.0, 2.5) missed during the prior GEODE-10544
upgrade.

VULNERABILITY:
  Log4j Core's Rfc5424Layout (versions 2.21.0 through 2.25.3) is
  vulnerable to log injection via CRLF sequences due to undocumented
  renames of security-relevant configuration attributes (CWE-117,
  CWE-684). Two issues affect users of stream-based syslog services:
  - The newLineEscape attribute was silently renamed, disabling newline
    escaping for TCP framing (RFC 6587) and exposing CRLF injection.
  - The useTlsMessageFormat attribute was silently renamed, silently
    downgrading TLS framing (RFC 5425) to unframed TCP without newline
    escaping.

REMEDIATION:
  Updated all Log4j dependency references to 2.25.4 across dependency
  constraints, build files, expected POM, resource files, and
  documentation. Corrected stale 2.17.2/2.12.0/2.5 references that
  were missed by the prior GEODE-10544 upgrade.

References:
  https://nvd.nist.gov/vuln/detail/CVE-2026-34478
  https://github.com/apache/logging-log4j2/pull/4074
  https://logging.apache.org/security.html#CVE-2026-34478

> Remediation of CVE-2026-34478
> -----------------------------
>
>                 Key: GEODE-10580
>                 URL: https://issues.apache.org/jira/browse/GEODE-10580
>             Project: Geode
>          Issue Type: Improvement
>    Affects Versions: 1.15.3
>            Reporter: Jinwoo Hwang
>            Assignee: Jinwoo Hwang
>            Priority: Major
>             Fix For: 1.15.4
>
>
> Improper Output Neutralization for Logs - CVE-2026-34478



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to