[
https://issues.apache.org/jira/browse/KAFKA-20510?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Mickael Maison resolved KAFKA-20510.
------------------------------------
Resolution: Duplicate
> [CVE-2026-34479] [log4j-1.2-api] [2.25.3]
> -----------------------------------------
>
> Key: KAFKA-20510
> URL: https://issues.apache.org/jira/browse/KAFKA-20510
> Project: Kafka
> Issue Type: Bug
> Affects Versions: 4.2.0
> Reporter: Krishna Chidrawar
> Priority: Major
>
> The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape
> characters forbidden by the XML 1.0 standard, producing malformed XML output.
> Conforming XML parsers are required to reject documents containing such
> characters with a fatal error, which may cause downstream log processing
> systems to drop or fail to index affected records.
> Two groups of users are affected:
> * Those using Log4j1XmlLayout directly in a Log4j Core 2 configuration file.
> * Those using the Log4j 1 configuration compatibility layer with
> org.apache.log4j.xml.XMLLayout specified as the layout class.
> Users are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge version
> 2.25.4, which corrects this issue.
> Note: The Apache Log4j 1-to-Log4j 2 bridge is deprecated and will not be
> present in Log4j 3. Users are encouraged to consult the Log4j 1 to Log4j 2
> migration guide
> [https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html] , and
> specifically the section on eliminating reliance on the bridge.
> *NVD URL :* [https://nvd.nist.gov/vuln/detail/CVE-2026-34479]
> *Fix Version :* 2.25.4
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
