Bug 2390431 (CVE-2025-54813)

Summary:	CVE-2025-54813 apache-log4cxx: Log4cxx: Improper JSON Output Neutralization
Product:	[Other] Security Response	Reporter:	OSIDB Bzimport <bzimport>
Component:	vulnerability	Assignee:	Product Security DevOps Team <prodsec-dev>
Status:	NEW ---	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	Keywords:	Security
Target Milestone:	---
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	---
Doc Text:	A flaw was found in apache-log4cxx. When utilizing JSONLayout, the component fails to properly escape certain payload bytes, allowing attacker-supplied messages containing specific non-printable characters to be passed through unescaped. This allows an attacker to inject arbitrary data into log outputs possibly preventing applications which consumes the generated log files unable to read it.	Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	2393130, 2393129, 2393131, 2393132, 2393133
Bug Blocks:

Description OSIDB Bzimport 2025-08-22 19:01:39 UTC

Improper Output Neutralization for Logs vulnerability in Apache Log4cxx.

When using JSONLayout, not all payload bytes are properly escaped. If an attacker-supplied message contains certain non-printable characters, these will be passed along in the message and written out as part of the JSON message. This may prevent applications that consume these logs from correctly interpreting the information within them.

This issue affects Apache Log4cxx: before 1.5.0.

Users are recommended to upgrade to version 1.5.0, which fixes the issue.