{
  "threat_severity" : "Moderate",
  "public_date" : "2026-04-10T15:41:07Z",
  "bugzilla" : {
    "description" : "org.apache.logging.log4j/log4j-1.2-api: Apache Log4j 1-to-Log4j 2 bridge: Log processing denial of service due to improper XML escaping",
    "id" : "2457313",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2457313"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-91",
  "details" : [ "The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records.\nTwo groups of users are affected:\n*  Those using Log4j1XmlLayout directly in a Log4j Core 2 configuration file.\n*  Those using the Log4j 1 configuration compatibility layer with org.apache.log4j.xml.XMLLayout specified as the layout class.\nUsers are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge version 2.25.4, which corrects this issue.\nNote: The Apache Log4j 1-to-Log4j 2 bridge is deprecated and will not be present in Log4j 3. Users are encouraged to consult the  Log4j 1 to Log4j 2 migration guide https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html , and specifically the section on eliminating reliance on the bridge.", "A flaw was found in the Apache Log4j 1-to-Log4j 2 bridge. The Log4j1XmlLayout component fails to properly escape characters forbidden by the XML 1.0 standard. This improper handling of characters results in malformed XML output, which can cause downstream log processing systems to drop or fail to index affected records. The primary consequence is a denial of service for log analysis, potentially hindering security monitoring and incident response." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Offline Knowledge Portal 1.2.4",
    "release_date" : "2026-05-28T00:00:00Z",
    "advisory" : "RHSA-2026:21773",
    "cpe" : "cpe:/a:redhat:offline_knowledge_portal:1.2::el9",
    "package" : "offline-knowledge-portal/rhokp-rhel9:1779996999"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Data Grid 8",
    "fix_state" : "Fix deferred",
    "package_name" : "log4j-1.2-api",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "log4j:2/log4j",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "log4j",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Fix deferred",
    "package_name" : "log4j-1.2-api",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7",
    "fix_state" : "Fix deferred",
    "package_name" : "log4j-1.2-api",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8",
    "fix_state" : "Fix deferred",
    "package_name" : "log4j-1.2-api",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "fix_state" : "Fix deferred",
    "package_name" : "log4j-1.2-api",
    "cpe" : "cpe:/a:redhat:jbosseapxp"
  }, {
    "product_name" : "Red Hat Offline Knowledge Portal",
    "fix_state" : "Fix deferred",
    "package_name" : "redhat-user-workloads/rhokp-core-encrypted",
    "cpe" : "cpe:/a:redhat:offline_knowledge_portal:1"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Fix deferred",
    "package_name" : "rhoai/odh-modelmesh-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Fix deferred",
    "package_name" : "rhoai/odh-modelmesh-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "streams for Apache Kafka 3",
    "fix_state" : "Fix deferred",
    "package_name" : "log4j-1.2-api",
    "cpe" : "cpe:/a:redhat:amq_streams:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-34479\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-34479\nhttps://github.com/apache/logging-log4j2/pull/4078\nhttps://lists.apache.org/thread/gd0hp6mj17rn3kj279vgy4p7kd4zz5on\nhttps://logging.apache.org/cyclonedx/vdr.xml\nhttps://logging.apache.org/log4j/2.x/migrate-from-log4j1.html\nhttps://logging.apache.org/security.html#CVE-2026-34479" ],
  "name" : "CVE-2026-34479",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}