SB2026071022 - IBM Maximo Scheduler Optimizer update for Apache Log4j



SB2026071022 - IBM Maximo Scheduler Optimizer update for Apache Log4j

Published: July 10, 2026

Security Bulletin ID SB2026071022
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Partial DoS

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Improper Encoding or Escaping of Output (CVE-ID: CVE-2026-34479)

CWE-ID: CWE-116 - Improper Encoding or Escaping of Output

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause downstream log processing systems to drop or fail to index affected records.

The vulnerability exists due to improper output neutralization in Log4j1XmlLayout when producing XML log output containing characters forbidden by the XML 1.0 standard. A remote attacker can cause such characters to be included in logged data to cause downstream log processing systems to drop or fail to index affected records.

The issue affects configurations using Log4j1XmlLayout directly in a Log4j Core 2 configuration file or through the Log4j 1 configuration compatibility layer with org.apache.log4j.xml.XMLLayout specified as the layout class.


Remediation

Install update from vendor's website.