Apache Log4j Core XML Layout Improper Character Sanitization Vulnerability

A vulnerability exists in Apache Log4j Core's XmlLayout, in versions up to and including 2.25.3. The layout fails to properly sanitize characters that are forbidden by the XML 1.0 specification, leading to the creation of invalid XML output. This issue arises whenever a log message or MDC value contains such characters. The consequences of this vulnerability vary depending on the StAX implementation in use. With the JRE's built-in StAX, forbidden characters are silently written to the output, resulting in malformed XML. Conforming parsers are required to reject such documents with a fatal error, which could cause downstream log-processing systems to discard the affected records. In contrast, alternative StAX implementations, such as Woodstox (a transitive dependency of the Jackson XML Dataformat module), throw an exception during the logging call, causing the log event to be lost and only reported to Log4j's internal status logger.

Impact

Exploitation of this vulnerability results in silent log event loss. The malformed XML output produced can cause downstream log processing systems to drop or fail to index the affected records, impairing audit trails and the detection of malicious activity.

Remediation

Users are advised to upgrade to Apache Log4j Core version 2.25.4, which addresses this vulnerability by sanitizing forbidden characters before generating XML output.