Yuriy Malygin created HIVE-29611:
------------------------------------
Summary: [CVE-2026-34480] Bump log4j-core version up to 2.25.4
Key: HIVE-29611
URL: https://issues.apache.org/jira/browse/HIVE-29611
Project: Hive
Issue Type: Task
Reporter: Yuriy Malygin
Apache Hive currently depends on Apache Log4j Core versions affected by
CVE-2026-34480.
The vulnerability affects XmlLayout in Log4j Core up to version 2.25.3.
Malformed XML output may be produced when log messages contain characters
forbidden by XML 1.0 specification. Depending on the StAX implementation, this
can result in:
* invalid XML logs rejected by downstream log processing systems
* silent log event loss
* exceptions during logging operations
Upstream fix is available in Log4j Core 2.25.4
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
