PT-2020-3311 · Apache+1 · Apache Log4J+1
Published
2020-04-13
·
Updated
2022-05-12
·
CVE-2020-9488
CVSS v2.0
4.3
Medium
| Vector | AV:N/AC:M/Au:N/C:P/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Apache Log4j versions prior to 2.12.3
Apache Log4j versions prior to 2.13.1
Apache Log4j versions prior to 2.13.2
Description
The issue is related to improper validation of certificates with host mismatch in the Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack, potentially leaking log messages sent through the appender.
Recommendations
For Apache Log4j versions prior to 2.12.3, update to version 2.12.3 or later.
For Apache Log4j versions prior to 2.13.1, update to version 2.13.1 or later.
For Apache Log4j versions prior to 2.13.2, update to version 2.13.2 or later.
As a temporary workaround, consider disabling the SMTP appender until a patch is available.
Restrict access to the SMTP appender to minimize the risk of exploitation.
Fix
Improper Certificate Validation
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Apache Log4J
Astra Linux