[
https://issues.apache.org/jira/browse/KAFKA-20509?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Mickael Maison resolved KAFKA-20509.
------------------------------------
Resolution: Duplicate
> [CVE-2026-34480] [log4j-core] [2.25.3]
> ---------------------------------------
>
> Key: KAFKA-20509
> URL: https://issues.apache.org/jira/browse/KAFKA-20509
> Project: Kafka
> Issue Type: Bug
> Affects Versions: 4.2.0
> Reporter: Krishna Chidrawar
> Priority: Major
>
> Apache Log4j Core's XmlLayout
> [https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout] , in
> versions up to and including 2.25.3, fails to sanitize characters forbidden
> by the XML 1.0 specification [https://www.w3.org/TR/xml/#charsets] producing
> invalid XML output whenever a log message or MDC value contains such
> characters.
> The impact depends on the StAX implementation in use:
> * JRE built-in StAX: Forbidden characters are silently written to the
> output, producing malformed XML. Conforming parsers must reject such
> documents with a fatal error, which may cause downstream log-processing
> systems to drop the affected records.
> * Alternative StAX implementations (e.g., Woodstox
> [https://github.com/FasterXML/woodstox] , a transitive dependency of the
> Jackson XML Dataformat module): An exception is thrown during the logging
> call, and the log event is never delivered to its intended appender, only to
> Log4j's internal status logger.
> Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this
> issue by sanitizing forbidden characters before XML output.
> *NVD URL :* [https://nvd.nist.gov/vuln/detail/CVE-2026-34480]
> *Fix Version :* 2.25.4, 3.0.0-beta3
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
