[jira] [Commented] (GEODE-10544) Apache Log4j Core Security Remediation

Mon, 27 Apr 2026 03:03:08 -0700 


    [ 
https://issues.apache.org/jira/browse/GEODE-10544?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18076526#comment-18076526
 ] 

ASF subversion and git services commented on GEODE-10544:
---------------------------------------------------------

Commit de9f4fa95c49b073478274f927f5e3a2d9e2fe6c in geode's branch 
refs/heads/support/1.15 from Jinwoo Hwang
[ https://gitbox.apache.org/repos/asf?p=geode.git;h=de9f4fa95c ]

GEODE-10580: Remediate CVE-2026-34478 - Improper Output Neutralization for Logs 
(#8006)

Upgrade Apache Log4j from 2.25.3 to 2.25.4 on support/1.15 to remediate
CVE-2026-34478 (CVSS 6.9 MEDIUM). Also corrects stale Log4j version
references (2.17.2, 2.12.0, 2.5) missed during the prior GEODE-10544
upgrade.

VULNERABILITY:
  Log4j Core's Rfc5424Layout (versions 2.21.0 through 2.25.3) is
  vulnerable to log injection via CRLF sequences due to undocumented
  renames of security-relevant configuration attributes (CWE-117,
  CWE-684). Two issues affect users of stream-based syslog services:
  - The newLineEscape attribute was silently renamed, disabling newline
    escaping for TCP framing (RFC 6587) and exposing CRLF injection.
  - The useTlsMessageFormat attribute was silently renamed, silently
    downgrading TLS framing (RFC 5425) to unframed TCP without newline
    escaping.

REMEDIATION:
  Updated all Log4j dependency references to 2.25.4 across dependency
  constraints, build files, expected POM, resource files, and
  documentation. Corrected stale 2.17.2/2.12.0/2.5 references that
  were missed by the prior GEODE-10544 upgrade.

References:
  https://nvd.nist.gov/vuln/detail/CVE-2026-34478
  https://github.com/apache/logging-log4j2/pull/4074
  https://logging.apache.org/security.html#CVE-2026-34478

> Apache Log4j Core Security Remediation
> --------------------------------------
>
>                 Key: GEODE-10544
>                 URL: https://issues.apache.org/jira/browse/GEODE-10544
>             Project: Geode
>          Issue Type: Improvement
>            Reporter: Jinwoo Hwang
>            Assignee: Jinwoo Hwang
>            Priority: Major
>             Fix For: 1.15.3
>
>
> Remediation of the security vulnerabilities reported in Apache Log4j Core
>  * [CVE-2025-68161|https://nvd.nist.gov/vuln/detail/CVE-2025-68161]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to