[jira] [Updated] (HIVE-29611) [CVE-2026-34480] Bump log4j-core version up to 2.25.4

Yuriy Malygin (Jira) Wed, 13 May 2026 10:44:45 -0700


     [ 
https://issues.apache.org/jira/browse/HIVE-29611?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Yuriy Malygin updated HIVE-29611:
---------------------------------
    Priority: Critical  (was: Major)

> [CVE-2026-34480] Bump log4j-core version up to 2.25.4
> -----------------------------------------------------
>
>                 Key: HIVE-29611
>                 URL: https://issues.apache.org/jira/browse/HIVE-29611
>             Project: Hive
>          Issue Type: Task
>            Reporter: Yuriy Malygin
>            Priority: Critical
>              Labels: pull-request-available
>
> Apache Hive currently depends on Apache Log4j Core versions affected by 
> CVE-2026-34480.
> The vulnerability affects XmlLayout in Log4j Core up to version 2.25.3.
> Malformed XML output may be produced when log messages contain characters 
> forbidden by XML 1.0 specification. Depending on the StAX implementation, 
> this can result in:
> * invalid XML logs rejected by downstream log processing systems
> * silent log event loss
> * exceptions during logging operations
> Upstream fix is available in Log4j Core 2.25.4



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (HIVE-29611) [CVE-2026-34480] Bump log4j-core version up to 2.25.4

Reply via email to