[
https://issues.apache.org/jira/browse/LOG4J2-2819?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17139353#comment-17139353
]
Elliotte Rusty Harold commented on LOG4J2-2819:
-----------------------------------------------
Just to be 100% clear, the reported CVE does not affect log4j 1.2? Or this
patch to fix the CVE does not apply to log4j 1.2?
Maven still requires Java 7, so 2.2.12 or such is as high as we can upgrade
right now.
> Add support for specifying an SSL configuration for SmtpAppender
> ----------------------------------------------------------------
>
> Key: LOG4J2-2819
> URL: https://issues.apache.org/jira/browse/LOG4J2-2819
> Project: Log4j 2
> Issue Type: Improvement
> Components: Appenders
> Affects Versions: 2.13.1
> Reporter: Matt Sicker
> Assignee: Matt Sicker
> Priority: Major
> Fix For: 2.13.2
>
>
> The SmtpAppender should be able to use an SSL configuration element to
> specify a trust store, host name verification, and a key store, so that smtps
> connections can be further configured. This should re-use the same {{<SSL/>}}
> configuration element that's used elsewhere like HttpAppender.
> h2. CVE-2020-9488
> The SmtpAppender did not verify the host name matched the SSL/TLS certificate
> of an SMTPS connection which could allow an attacker with man-in-the-middle
> access to intercept log messages sent through SMTPS.
> h3. Mitigation
> Upgrade to 2.13.2 which supports this feature. Previous versions can set the
> system property {{mail.smtp.ssl.checkserveridentity}} to {{true}} to globally
> enable hostname verification for SMTPS connections.
> h3. Details
> CWE: 297
> CVSS: 3.7 (Low) CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
> Reporter: Peter Stöckli <[email protected]>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
