[
https://issues.apache.org/jira/browse/LOG4J2-2819?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17140025#comment-17140025
]
Ralph Goers commented on LOG4J2-2819:
-------------------------------------
Log4j 1.2 does not support configuring any SSL/TLS information just for the
SmtpAppender. It can only use the properties configured for the JVM. There will
be no patch for Log4j 1.2 since it is EOL.
I believe the Log4j team has said we will not be providing patches for Log4j
2.3 (Java 6) but we are open to providing patches for Java 7.
If Maven requires a version of Log4j compatible with Java 7 that includes this
patch then we will have to create one.
> Add support for specifying an SSL configuration for SmtpAppender
> ----------------------------------------------------------------
>
> Key: LOG4J2-2819
> URL: https://issues.apache.org/jira/browse/LOG4J2-2819
> Project: Log4j 2
> Issue Type: Improvement
> Components: Appenders
> Affects Versions: 2.13.1
> Reporter: Matt Sicker
> Assignee: Matt Sicker
> Priority: Major
> Fix For: 2.13.2
>
>
> The SmtpAppender should be able to use an SSL configuration element to
> specify a trust store, host name verification, and a key store, so that smtps
> connections can be further configured. This should re-use the same {{<SSL/>}}
> configuration element that's used elsewhere like HttpAppender.
> h2. CVE-2020-9488
> The SmtpAppender did not verify the host name matched the SSL/TLS certificate
> of an SMTPS connection which could allow an attacker with man-in-the-middle
> access to intercept log messages sent through SMTPS.
> h3. Mitigation
> Upgrade to 2.13.2 which supports this feature. Previous versions can set the
> system property {{mail.smtp.ssl.checkserveridentity}} to {{true}} to globally
> enable hostname verification for SMTPS connections.
> h3. Details
> CWE: 297
> CVSS: 3.7 (Low) CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
> Reporter: Peter Stöckli <[email protected]>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
