Bug 2457317 (CVE-2026-40023)
| Summary: | CVE-2026-40023 Apache Log4cxx: Apache Log4cxx: Log processing impairment due to unsanitized XML characters | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | Keywords: | Security |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in Apache Log4cxx. An attacker who can influence logged data can exploit this by injecting characters forbidden by the XML 1.0 specification (a standard for encoding documents) into log messages, Network Device Configuration (NDC), and Mapped Diagnostic Context (MDC) property keys and values. This results in invalid XML output, causing downstream log processing systems to drop or fail to index affected records. The primary impact is the impairment of audit trails and the detection of malicious activity, leading to a Denial of Service (DoS) for log processing.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2457922, 2457923 | ||
| Bug Blocks: | |||
|
Description
OSIDB Bzimport
2026-04-10 16:01:52 UTC
|