This is an automated email from the ASF dual-hosted git repository. pkarwasz pushed a commit to branch fix/new-cves in repository https://gitbox.apache.org/repos/asf/logging-site.git
commit fb63af900dc2b71cda09785cdf1aadd2af4038d7 Author: Piotr P. Karwasz <[email protected]> AuthorDate: Fri Apr 10 14:27:06 2026 +0200 Add details for CVE-2026-34477 --- .../modules/ROOT/pages/_vulnerabilities.adoc | 48 ++++++++++++ src/site/static/cyclonedx/vdr.xml | 85 +++++++++++++++++++++- 2 files changed, 132 insertions(+), 1 deletion(-) diff --git a/src/site/antora/modules/ROOT/pages/_vulnerabilities.adoc b/src/site/antora/modules/ROOT/pages/_vulnerabilities.adoc index 6ab5ffc2..a9bf0a60 100644 --- a/src/site/antora/modules/ROOT/pages/_vulnerabilities.adoc +++ b/src/site/antora/modules/ROOT/pages/_vulnerabilities.adoc @@ -29,6 +29,54 @@ Version ranges follow the https://github.com/package-url/vers-spec/blob/main/VER For brevity, mathematical interval notation is used, with the union operator (`∪`) to represent multiple ranges. ==== +[#CVE-2026-34477] +== {cve-url-prefix}/CVE-2026-34477[CVE-2026-34477] + +[cols="1h,5"] +|=== +|Summary |`verifyHostName` attribute silently ignored in TLS configuration +|CVSS 4.x Score & Vector |6.3 MEDIUM (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N) +|Components affected |Log4j Core +|Versions affected |`[2.12.0, 2.25.4) ∪ [3.0.0-alpha1, 3.0.0-beta3]` +|Versions fixed |`2.25.4` +|=== + +[#CVE-2026-34477-description] +=== Description + +The fix for <<CVE-2025-68161>> was incomplete: it addressed hostname verification only when enabled via the +https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName[`log4j2.sslVerifyHostName`] +system property, but not when configured through the +https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName[`verifyHostName`] +attribute of the `<Ssl>` element. + +Although the `verifyHostName` configuration attribute was introduced in Log4j Core 2.12.0, it was silently ignored in all versions through 2.25.3, leaving TLS connections vulnerable to interception regardless of the configured value. + +A network-based attacker may be able to perform a man-in-the-middle attack when *all* of the following conditions are met: + +* An SMTP, Socket, or Syslog appender is in use. +* TLS is configured via a nested `<Ssl>` element. +* The attacker can present a certificate issued by a CA trusted by the appender's configured trust store, or by the default Java trust store if none is configured. + +This issue does not affect users of the HTTP appender, which uses a separate +https://logging.apache.org/log4j/2.x/manual/appenders/network.html#HttpAppender-attr-verifyHostName[`verifyHostname`] +attribute that was not subject to this bug and verifies host names by default. + +[#CVE-2026-34477-remediation] +=== Remediation + +Users are advised to upgrade to Apache Log4j Core version `2.25.4`, which corrects this issue. + +[#CVE-2026-34477-credits] +=== Credits + +This issue was originally reported by Samuli Leinonen and independently reported by Naresh Kandula, Vitaly Simonovich, Raijuna, Danish Siddiqui (djvirus), Markus Magnuson, and Haruki Oyama (Waseda University). + +[#CVE-2026-34477-references] +=== References +* {cve-url-prefix}/CVE-2026-34477[CVE-2026-34477] +* https://github.com/apache/logging-log4j2/pull/4075[Pull request that fixes the issue] + [#CVE-2025-68161] == {cve-url-prefix}/CVE-2025-68161[CVE-2025-68161] diff --git a/src/site/static/cyclonedx/vdr.xml b/src/site/static/cyclonedx/vdr.xml index 05c1dccf..9ed0a4fe 100644 --- a/src/site/static/cyclonedx/vdr.xml +++ b/src/site/static/cyclonedx/vdr.xml @@ -40,7 +40,7 @@ <bom xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns="http://cyclonedx.org/schema/bom/1.6"; xsi:schemaLocation="http://cyclonedx.org/schema/bom/1.6 https://cyclonedx.org/schema/bom-1.6.xsd"; - version="6" + version="7" serialNumber="urn:uuid:dfa35519-9734-4259-bba1-3e825cf4be06"> <metadata> @@ -89,6 +89,89 @@ <vulnerabilities> + <vulnerability> + <id>CVE-2026-34477</id> + <source> + <name>NVD</name> + <url>https://nvd.nist.gov/vuln/detail/CVE-2026-34477</url> + </source> + <ratings> + <rating> + <source> + <name>The Apache Software Foundation</name> + <url> + <![CDATA[https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N]]></url> + </source> + <score>6.3</score> + <severity>medium</severity> + <method>CVSSv4</method> + <vector>AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N</vector> + </rating> + </ratings> + <cwes> + <cwe>297</cwe> + </cwes> + <description><![CDATA[The fix for CVE-2025-68161 was incomplete: it addressed hostname verification only when enabled via the +https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName[`log4j2.sslVerifyHostName`] +system property, but not when configured through the +https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName[`verifyHostName`] +attribute of the `<Ssl>` element. + +Although the `verifyHostName` configuration attribute was introduced in Log4j Core 2.12.0, it was silently ignored in all versions through 2.25.3, leaving TLS connections vulnerable to interception regardless of the configured value. + +A network-based attacker may be able to perform a man-in-the-middle attack when *all* of the following conditions are met: + +* An SMTP, Socket, or Syslog appender is in use. +* TLS is configured via a nested `<Ssl>` element. +* The attacker can present a certificate issued by a CA trusted by the appender's configured trust store, or by the default Java trust store if none is configured. + +This issue does not affect users of the HTTP appender, which uses a separate +https://logging.apache.org/log4j/2.x/manual/appenders/network.html#HttpAppender-attr-verifyHostName[`verifyHostname`] +attribute that was not subject to this bug and verifies host names by default.]]></description> + <recommendation><![CDATA[Users are advised to upgrade to Apache Log4j Core version `2.25.4`, which corrects this issue.]]></recommendation> + <created>2026-04-10T11:53:17Z</created> + <published>2026-04-10T11:53:17Z</published> + <updated>2026-04-10T11:53:17Z</updated> + <credits> + <individuals> + <individual> + <name>Samuli Leinonen</name> + </individual> + <individual> + <name>Naresh Kandula</name> + </individual> + <individual> + <name>Vitaly Simonovich</name> + </individual> + <individual> + <name>Raijuna</name> + </individual> + <individual> + <name>Danish Siddiqui</name> + </individual> + <individual> + <name>Markus Magnuson</name> + </individual> + <individual> + <name>Haruki Oyama</name> + </individual> + </individuals> + </credits> + <affects> + <target> + <ref>log4j-core</ref> + <versions> + <version> + <range><![CDATA[vers:maven/>=2.12.0|<2.25.4]]></range> + </version> + <version> + <range><![CDATA[vers:maven/>=3.0.0-alpha1|<=3.0.0-beta3]]></range> + </version> + </versions> + </target> + </affects> + </vulnerability> + <vulnerability> <id>CVE-2025-68161</id> <source>
