Krishna Chidrawar created KAFKA-20510:
-----------------------------------------
Summary: [CVE-2026-34479] [log4j-1.2-api] [2.25.3]
Key: KAFKA-20510
URL: https://issues.apache.org/jira/browse/KAFKA-20510
Project: Kafka
Issue Type: Bug
Affects Versions: 4.2.0
Reporter: Krishna Chidrawar
The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape
characters forbidden by the XML 1.0 standard, producing malformed XML output.
Conforming XML parsers are required to reject documents containing such
characters with a fatal error, which may cause downstream log processing
systems to drop or fail to index affected records.
Two groups of users are affected:
* Those using Log4j1XmlLayout directly in a Log4j Core 2 configuration file.
* Those using the Log4j 1 configuration compatibility layer with
org.apache.log4j.xml.XMLLayout specified as the layout class.
Users are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge version
2.25.4, which corrects this issue.
Note: The Apache Log4j 1-to-Log4j 2 bridge is deprecated and will not be
present in Log4j 3. Users are encouraged to consult the Log4j 1 to Log4j 2
migration guide [https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html]
, and specifically the section on eliminating reliance on the bridge.
*NVD URL :* [https://nvd.nist.gov/vuln/detail/CVE-2026-34479]
*Fix Version :* 2.25.4
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
