Source: apache-log4j2 Version: 2.19.0-2 Severity: important Tags: security upstream Forwarded: https://github.com/apache/logging-log4j2/pull/4002 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for apache-log4j2. CVE-2025-68161[0]: | The Socket Appender in Apache Log4j Core versions 2.0-beta9 through | 2.25.2 does not perform TLS hostname verification of the peer | certificate, even when the verifyHostName https://logging.apache.or | g/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr- | verifyHostName configuration attribute or the | log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual | /systemproperties.html#log4j2.sslVerifyHostName system property is | set to true. This issue may allow a man-in-the-middle attacker to | intercept or redirect log traffic under the following conditions: | * The attacker is able to intercept or redirect network traffic | between the client and the log receiver. * The attacker can | present a server certificate issued by a certification authority | trusted by the Socket Appender’s configured trust store (or by the | default Java trust store if no custom trust store is configured). | Users are advised to upgrade to Apache Log4j Core version 2.25.3, | which addresses this issue. As an alternative mitigation, the | Socket Appender may be configured to use a private or restricted | trust root to limit the set of trusted certificates. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-68161 https://www.cve.org/CVERecord?id=CVE-2025-68161 [1] https://github.com/apache/logging-log4j2/pull/4002 [2] https://lists.apache.org/thread/xr33kyxq3sl67lwb61ggvm1fzc8k7dvx Please adjust the affected versions in the BTS as needed. Regards, Salvatore
