Bug 2457313 (CVE-2026-34479) - CVE-2026-34479 org.apache.logging.log4j/log4j-1.2-api: Apache Log4j 1-to-Log4j 2 bridge: Log processing denial of service due to improper XML escaping
Summary: CVE-2026-34479 org.apache.logging.log4j/log4j-1.2-api: Apache Log4j 1-to-Log4...
Keywords:
Status: NEW
Alias: CVE-2026-34479
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2457912 2457914 2457911 2457913
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-04-10 16:01 UTC by OSIDB Bzimport
Modified: 2026-04-13 16:53 UTC (History)
28 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-04-10 16:01:35 UTC 
The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records.

Two groups of users are affected:

  *  Those using Log4j1XmlLayout directly in a Log4j Core 2 configuration file.
  *  Those using the Log4j 1 configuration compatibility layer with org.apache.log4j.xml.XMLLayout specified as the layout class.


Users are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge version 2.25.4, which corrects this issue.

Note: The Apache Log4j 1-to-Log4j 2 bridge is deprecated and will not be present in Log4j 3. Users are encouraged to consult the  Log4j 1 to Log4j 2 migration guide https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html , and specifically the section on eliminating reliance on the bridge.
Note You need to log in before you can comment on or make changes to this bug.