[jira] [Commented] (GEODE-10579) Remediation of Improper Output Neutralization for Logs - CVE-2026-34478

ASF subversion and git services (Jira) Wed, 13 May 2026 06:47:22 -0700


    [ 
https://issues.apache.org/jira/browse/GEODE-10579?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18080629#comment-18080629
 ]


ASF subversion and git services commented on GEODE-10579:
---------------------------------------------------------

Commit 9190bb5de2c5b13d444a1f21d6d91d0dc3cd6584 in geode's branch 
refs/heads/support/2.0 from Jinwoo Hwang
[ https://gitbox.apache.org/repos/asf?p=geode.git;h=9190bb5de2 ]

GEODE-10579: Remediate CVE-2026-34478 - Improper Output Neutralization for Logs 
(#8005)

Upgrade Apache Log4j from 2.25.3 to 2.25.4 to remediate CVE-2026-34478
(CVSS 6.9 MEDIUM).

VULNERABILITY:
  Log4j Core's Rfc5424Layout (versions 2.21.0 through 2.25.3) is
  vulnerable to log injection via CRLF sequences due to undocumented
  renames of security-relevant configuration attributes (CWE-117,
  CWE-684). Two issues affect users of stream-based syslog services:
  - The newLineEscape attribute was silently renamed, disabling newline
    escaping for TCP framing (RFC 6587) and exposing CRLF injection.
  - The useTlsMessageFormat attribute was silently renamed, silently
    downgrading TLS framing (RFC 5425) to unframed TCP without newline
    escaping.

REMEDIATION:
  Updated all Log4j dependency references from 2.25.3 to 2.25.4 across
  dependency constraints, build files, documentation, and test resources.

References:
  https://nvd.nist.gov/vuln/detail/CVE-2026-34478
  https://github.com/apache/logging-log4j2/pull/4074
  https://logging.apache.org/security.html#CVE-2026-34478
(cherry picked from commit a4ec1d2d7d5e2c4d95f8c5be05a48c6baf43e0ce)


> Remediation of Improper Output Neutralization for Logs - CVE-2026-34478
> -----------------------------------------------------------------------
>
>                 Key: GEODE-10579
>                 URL: https://issues.apache.org/jira/browse/GEODE-10579
>             Project: Geode
>          Issue Type: Improvement
>    Affects Versions: 2.0.0
>            Reporter: Jinwoo Hwang
>            Assignee: Jinwoo Hwang
>            Priority: Major
>             Fix For: 2.0.2
>
>
> Improper Output Neutralization for Logs - 
> org.apache.logging.log4j:log4j-core:2.25.3 - CVE-2026-34478



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (GEODE-10579) Remediation of Improper Output Neutralization for Logs - CVE-2026-34478

Reply via email to