Markus Magnuson

**Name of the Vulnerable Software and Affected Versions** Apache Log4j Core versions 2.12.0 through 2.25.3 **Description** A flaw exists where hostname verification is ignored when configured through the `verifyHostName` attribute of the '<Ssl>' element. This occurs even if the attribute is explicitly set, leaving TLS connections susceptible to interception. A network-based attacker could perform a man-in-the-middle attack if an SMTP, Socket, or Syslog appender is used, TLS is configured via a nested '<Ssl>' element, and the attacker possesses a certificate issued by a CA trusted by the configured or default Java trust store. **Recommendations** Upgrade to Apache Log4j Core 2.25.4.