From 140424d8f3dcab7f51de01446783bd248eec159b Mon Sep 17 00:00:00 2001 From: "Piotr P. Karwasz" Date: Fri, 10 Apr 2026 21:32:45 +0200 Subject: [PATCH] Improve GHSA-h383-gmxw-35v2 --- .../GHSA-h383-gmxw-35v2.json | 52 +++++++++++++++++-- 1 file changed, 48 insertions(+), 4 deletions(-) diff --git a/advisories/unreviewed/2026/04/GHSA-h383-gmxw-35v2/GHSA-h383-gmxw-35v2.json b/advisories/unreviewed/2026/04/GHSA-h383-gmxw-35v2/GHSA-h383-gmxw-35v2.json index 7065b713cfbd4..9924b691aee60 100644 --- a/advisories/unreviewed/2026/04/GHSA-h383-gmxw-35v2/GHSA-h383-gmxw-35v2.json +++ b/advisories/unreviewed/2026/04/GHSA-h383-gmxw-35v2/GHSA-h383-gmxw-35v2.json @@ -1,19 +1,59 @@ { "schema_version": "1.4.0", "id": "GHSA-h383-gmxw-35v2", - "modified": "2026-04-10T18:31:18Z", + "modified": "2026-04-10T18:31:27Z", "published": "2026-04-10T18:31:18Z", "aliases": [ "CVE-2026-34479" ], - "details": "The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records.\n\nTwo groups of users are affected:\n\n * Those using Log4j1XmlLayout directly in a Log4j Core 2 configuration file.\n * Those using the Log4j 1 configuration compatibility layer with org.apache.log4j.xml.XMLLayout specified as the layout class.\n\n\nUsers are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge version 2.25.4, which corrects this issue.\n\nNote: The Apache Log4j 1-to-Log4j 2 bridge is deprecated and will not be present in Log4j 3. Users are encouraged to consult the Log4j 1 to Log4j 2 migration guide https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html , and specifically the section on eliminating reliance on the bridge.", + "summary": "Apache Log4j 1 to Log4j 2 bridge: silent log event loss in Log4j1XmlLayout due to unescaped XML 1.0 forbidden characters", + "details": "The `Log4j1XmlLayout` from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records.\n\nTwo groups of users are affected:\n\n* Those using `Log4j1XmlLayout` directly in a Log4j Core 2 configuration file.\n* Those using the Log4j 1 configuration compatibility layer with `org.apache.log4j.xml.XMLLayout` specified as the layout class.\n\nUsers are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge version `2.25.4`, which corrects this issue.\n\n> [!NOTE]\n> The Apache Log4j 1-to-Log4j 2 bridge is deprecated and will not be present in Log4j 3. Users are encouraged to consult the\n[Log4j 1 to Log4j 2 migration guide](https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html), and specifically the section on eliminating reliance on the bridge.", "severity": [ { "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.logging.log4j:log4j-1.2-api" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.7" + }, + { + "fixed": "2.25.4" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.logging.log4j:log4j-1.2-api" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.0.0-beta1" + }, + { + "last_affected": "3.0.0-beta2" + } + ] + } + ] } ], - "affected": [], "references": [ { "type": "ADVISORY", @@ -23,6 +63,10 @@ "type": "WEB", "url": "https://github.com/apache/logging-log4j2/pull/4078" }, + { + "type": "PACKAGE", + "url": "https://github.com/apache/logging-log4j2" + }, { "type": "WEB", "url": "https://lists.apache.org/thread/gd0hp6mj17rn3kj279vgy4p7kd4zz5on"