Bug#1133848: apache-log4j2: CVE-2026-34479

Tue Apr 14 21:44:42 BST 2026

Source: apache-log4j2
Version: 2.19.0-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>

Hi,

The following vulnerability was published for apache-log4j2.

CVE-2026-34479[0]:
| The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails
| to escape characters forbidden by the XML 1.0 standard, producing
| malformed XML output. Conforming XML parsers are required to reject
| documents containing such characters with a fatal error, which may
| cause downstream log processing systems to drop or fail to index
| affected records.  Two groups of users are affected:    *  Those
| using Log4j1XmlLayout directly in a Log4j Core 2 configuration file.
| *  Those using the Log4j 1 configuration compatibility layer with
| org.apache.log4j.xml.XMLLayout specified as the layout class.
| Users are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge
| version 2.25.4, which corrects this issue.  Note: The Apache Log4j
| 1-to-Log4j 2 bridge is deprecated and will not be present in Log4j
| 3. Users are encouraged to consult the  Log4j 1 to Log4j 2 migration
| guide https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html
| , and specifically the section on eliminating reliance on the
| bridge.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-34479
    https://www.cve.org/CVERecord?id=CVE-2026-34479
[1] https://lists.apache.org/thread/gd0hp6mj17rn3kj279vgy4p7kd4zz5on
[2] https://logging.apache.org/security.html#CVE-2026-34479
[3] https://github.com/apache/logging-log4j2/pull/4078
[4] https://github.com/apache/logging-log4j2/commit/25043cfad1bac2e43ebc4638450cbb73c51451c4

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore