[
https://issues.apache.org/jira/browse/LOG4J2-2819?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17464272#comment-17464272
]
ASF subversion and git services commented on LOG4J2-2819:
---------------------------------------------------------
Commit a3cb4862a6476793c3ece81208fd33c78ccfe7db in logging-log4j-site's branch
refs/heads/asf-site from Remko Popma
[ https://gitbox.apache.org/repos/asf?p=logging-log4j-site.git;h=a3cb486 ]
[LOG4J2-2819] update security page for CVE-2020-9488 fix backported to 2.12.3
> Add support for specifying an SSL configuration for SmtpAppender
> ----------------------------------------------------------------
>
> Key: LOG4J2-2819
> URL: https://issues.apache.org/jira/browse/LOG4J2-2819
> Project: Log4j 2
> Issue Type: Improvement
> Components: Appenders
> Affects Versions: 2.13.1
> Reporter: Matt Sicker
> Assignee: Matt Sicker
> Priority: Major
> Fix For: 2.13.2, 2.12.3
>
>
> The SmtpAppender should be able to use an SSL configuration element to
> specify a trust store, host name verification, and a key store, so that smtps
> connections can be further configured. This should re-use the same {{<SSL/>}}
> configuration element that's used elsewhere like HttpAppender.
> h2. CVE-2020-9488
> The SmtpAppender did not verify the host name matched the SSL/TLS certificate
> of an SMTPS connection which could allow an attacker with man-in-the-middle
> access to intercept log messages sent through SMTPS.
> h3. Mitigation
> Upgrade to 2.13.2 which supports this feature. Previous versions can set the
> system property {{mail.smtp.ssl.checkserveridentity}} to {{true}} to globally
> enable hostname verification for SMTPS connections.
> h3. Details
> CWE: 297
> CVSS: 3.7 (Low) CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
> Reporter: Peter Stöckli <peter.stoc...@alphabot.com>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
