Apache Log4j 1-to-Log4j 2 Bridge Log Event Loss Vulnerability in XmlLayout

A vulnerability exists in the Apache Log4j 1-to-Log4j 2 bridge, specifically in the Log4j1XmlLayout component. This vulnerability arises because the layout fails to properly escape characters that are not allowed by the XML 1.0 standard, leading to the creation of malformed XML. As a result, XML parsers that adhere to the standard are expected to reject such documents, causing downstream log processing systems to either drop or fail to index the affected records. The vulnerability affects two groups of users: those using Log4j1XmlLayout directly in a Log4j Core 2 configuration file, and those utilizing the Log4j 1 configuration compatibility layer with org.apache.log4j.xml.XMLLayout as the specified layout class.

Impact

The vulnerability causes a silent loss of log events, with affected records either being dropped or not indexed by downstream log processing systems.

Remediation

Users are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge version 2.25.4, which addresses this issue. The bridge is deprecated and will not be available in Log4j 3, so users should consult the Log4j 1 to Log4j 2 migration guide to eliminate reliance on the bridge.