Bug#1136032: apache-log4j1.2: CVE-2026-34480
Moritz Mühlenhoff
jmm at inutil.org
Fri May 8 15:33:36 BST 2026
Source: apache-log4j1.2
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for apache-log4j1.2.
CVE-2026-34480[0]:
| Apache Log4j Core's XmlLayout
| https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout ,
| in versions up to and including 2.25.3, fails to sanitize characters
| forbidden by the XML 1.0 specification
| https://www.w3.org/TR/xml/#charsets producing invalid XML output
| whenever a log message or MDC value contains such characters. The
| impact depends on the StAX implementation in use: * JRE built-in
| StAX: Forbidden characters are silently written to the output,
| producing malformed XML. Conforming parsers must reject such
| documents with a fatal error, which may cause downstream log-
| processing systems to drop the affected records. * Alternative
| StAX implementations (e.g., Woodstox
| https://github.com/FasterXML/woodstox , a transitive dependency of
| the Jackson XML Dataformat module): An exception is thrown during
| the logging call, and the log event is never delivered to its
| intended appender, only to Log4j's internal status logger. Users
| are advised to upgrade to Apache Log4j Core 2.25.4, which corrects
| this issue by sanitizing forbidden characters before XML output.
It's not entirely clear if 1.2 is also affected, please check:
https://lists.apache.org/thread/n34zdv00gbkdbzt2rx9rf5mqz6lhopcv
https://logging.apache.org/security.html#CVE-2026-34481
https://github.com/apache/logging-log4j2/pull/4080
Fixed by: https://github.com/apache/logging-log4j2/commit/2c4dd1db372c59ad73aca88e281635fe30072268 (rel/2.25.4)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-34480
https://www.cve.org/CVERecord?id=CVE-2026-34480
Please adjust the affected versions in the BTS as needed.
More information about the pkg-java-maintainers
mailing list