This is an automated email from the ASF dual-hosted git repository. pkarwasz pushed a commit to branch fix/new-cves in repository https://gitbox.apache.org/repos/asf/logging-site.git
commit 55705b7b33c0afdaaab158453a6f74370202f0ff Author: Piotr P. Karwasz <[email protected]> AuthorDate: Fri Apr 10 14:37:22 2026 +0200 Add details for CVE-2026-34479 --- .../modules/ROOT/pages/_vulnerabilities.adoc | 46 +++++++++++++++ src/site/static/cyclonedx/vdr.xml | 66 ++++++++++++++++++++++ 2 files changed, 112 insertions(+) diff --git a/src/site/antora/modules/ROOT/pages/_vulnerabilities.adoc b/src/site/antora/modules/ROOT/pages/_vulnerabilities.adoc index 2500039a..3fc9896c 100644 --- a/src/site/antora/modules/ROOT/pages/_vulnerabilities.adoc +++ b/src/site/antora/modules/ROOT/pages/_vulnerabilities.adoc @@ -29,6 +29,52 @@ Version ranges follow the https://github.com/package-url/vers-spec/blob/main/VER For brevity, mathematical interval notation is used, with the union operator (`∪`) to represent multiple ranges. ==== +[#CVE-2026-34479] +== {cve-url-prefix}/CVE-2026-34479[CVE-2026-34479] + +[cols="1h,5"] +|=== +|Summary |Silent log event loss in `Log4j1XmlLayout` due to unescaped XML 1.0 forbidden characters +|CVSS 4.x Score & Vector |6.9 MEDIUM (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N) +|Components affected |`log4j-1.2-api` +|Versions affected |`[2.7, 2.25.4) ∪ [3.0.0-alpha1, 3.0.0-beta2]` +|Versions fixed |`2.25.4` +|=== + +[#CVE-2026-34479-description] +=== Description + +The `Log4j1XmlLayout` from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. +Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records. + +Two groups of users are affected: + +* Those using `Log4j1XmlLayout` directly in a Log4j Core 2 configuration file. +* Those using the Log4j 1 configuration compatibility layer with `org.apache.log4j.xml.XMLLayout` specified as the layout class. + +[#CVE-2026-34479-remediation] +=== Remediation + +Users are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge version `2.25.4`, which corrects this issue. + +[NOTE] +==== +The Apache Log4j 1-to-Log4j 2 bridge is deprecated and will not be present in Log4j 3. +Users are encouraged to consult the +https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html[Log4j 1 to Log4j 2 migration guide], +and specifically the section on eliminating reliance on the bridge. +==== + +[#CVE-2026-34479-credits] +=== Credits + +This issue was originally reported by Ap4sh (Samy Medjahed) and Ethicxz (Eliott Laurie), and independently reported by jabaltarik1. + +[#CVE-2026-34479-references] +=== References +* {cve-url-prefix}/CVE-2026-34479[CVE-2026-34479] +* https://github.com/apache/logging-log4j2/pull/4078[Pull request that fixes the issue] + [#CVE-2026-34478] == {cve-url-prefix}/CVE-2026-34478[CVE-2026-34478] diff --git a/src/site/static/cyclonedx/vdr.xml b/src/site/static/cyclonedx/vdr.xml index ba47b68f..c1e60f78 100644 --- a/src/site/static/cyclonedx/vdr.xml +++ b/src/site/static/cyclonedx/vdr.xml @@ -89,6 +89,72 @@ <vulnerabilities> + <vulnerability> + <id>CVE-2026-34479</id> + <source> + <name>NVD</name> + <url>https://nvd.nist.gov/vuln/detail/CVE-2026-34479</url> + </source> + <ratings> + <rating> + <source> + <name>The Apache Software Foundation</name> + <url> + <![CDATA[https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N]]></url> + </source> + <score>6.9</score> + <severity>medium</severity> + <method>CVSSv4</method> + <vector>AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N</vector> + </rating> + </ratings> + <cwes> + <cwe>116</cwe> + </cwes> + <description><![CDATA[The `Log4j1XmlLayout` from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. +Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records. + +Two groups of users are affected: + +* Those using `Log4j1XmlLayout` directly in a Log4j Core 2 configuration file. +* Those using the Log4j 1 configuration compatibility layer with `org.apache.log4j.xml.XMLLayout` specified as the layout class.]]></description> + <recommendation><![CDATA[Users are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge version `2.25.4`, which corrects this issue. + +NOTE: The Apache Log4j 1-to-Log4j 2 bridge is deprecated and will not be present in Log4j 3. +Users are encouraged to consult the +https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html[Log4j 1 to Log4j 2 migration guide], +and specifically the section on eliminating reliance on the bridge.]]></recommendation> + <created>2026-04-10T11:53:17Z</created> + <published>2026-04-10T11:53:17Z</published> + <updated>2026-04-10T11:53:17Z</updated> + <credits> + <individuals> + <individual> + <name>Ap4sh (Samy Medjahed)</name> + </individual> + <individual> + <name>Ethicxz (Eliott Laurie)</name> + </individual> + <individual> + <name>jabaltarik1</name> + </individual> + </individuals> + </credits> + <affects> + <target> + <ref>log4j-1.2-api</ref> + <versions> + <version> + <range><![CDATA[vers:maven/>=2.7|<2.25.4]]></range> + </version> + <version> + <range><![CDATA[vers:maven/>=3.0.0-alpha1|<=3.0.0-beta2]]></range> + </version> + </versions> + </target> + </affects> + </vulnerability> + <vulnerability> <id>CVE-2026-34478</id> <source>
