[
https://issues.apache.org/jira/browse/HDDS-14366?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Attila Doroszlai updated HDDS-14366:
------------------------------------
Status: Patch Available (was: Open)
> Upgrade log4j to 2.25.3 due to CVEs
> -----------------------------------
>
> Key: HDDS-14366
> URL: https://issues.apache.org/jira/browse/HDDS-14366
> Project: Apache Ozone
> Issue Type: Task
> Reporter: Rohit Kumar
> Assignee: Rohit Kumar
> Priority: Minor
> Labels: pull-request-available
>
> {*}CVE-2025-68161{*}:
> The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2
> does not perform TLS hostname verification of the peer certificate, even when
> the verifyHostName
> [https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName]
> configuration attribute or the log4j2.sslVerifyHostName
> [https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName]
> system property is set to true.
> This issue may allow a man-in-the-middle attacker to intercept or redirect
> log traffic under the following conditions:
> * The attacker is able to intercept or redirect network traffic between the
> client and the log receiver.
> * The attacker can present a server certificate issued by a certification
> authority trusted by the Socket Appender’s configured trust store (or by the
> default Java trust store if no custom trust store is configured).
> Users are advised to upgrade to Apache Log4j Core version 2.25.3, which
> addresses this issue.
> As an alternative mitigation, the Socket Appender may be configured to use a
> private or restricted trust root to limit the set of trusted certificates.
> CVSS Score: None (None)
> [https://nvd.nist.gov/vuln/detail/CVE-2025-68161]
> *Affected Packages:*
> * Package: org.apache.logging.log4j:log4j-core
> Vulnerable: >= 2.0-beta9, < 2.25.3
> Patched: 2.25.3
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
