[
https://issues.apache.org/jira/browse/LOG4J2-2819?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17465911#comment-17465911
]
ASF subversion and git services commented on LOG4J2-2819:
---------------------------------------------------------
Commit 3c62f0bea692456b1b5039d3bcc1c3e0ba65146a in logging-log4j2's branch
refs/heads/log4j-2.3.x from Matt Sicker
[ https://gitbox.apache.org/repos/asf?p=logging-log4j2.git;h=3c62f0b ]
[LOG4J2-2819] Add SSL/TLS hostname verify option
This backports a fix for CVE-2020-9488.
> Add support for specifying an SSL configuration for SmtpAppender
> ----------------------------------------------------------------
>
> Key: LOG4J2-2819
> URL: https://issues.apache.org/jira/browse/LOG4J2-2819
> Project: Log4j 2
> Issue Type: Improvement
> Components: Appenders
> Affects Versions: 2.13.1
> Reporter: Matt Sicker
> Assignee: Matt Sicker
> Priority: Major
> Fix For: 2.13.2, 2.12.3, 2.3.2
>
>
> The SmtpAppender should be able to use an SSL configuration element to
> specify a trust store, host name verification, and a key store, so that smtps
> connections can be further configured. This should re-use the same {{<SSL/>}}
> configuration element that's used elsewhere like HttpAppender.
> h2. CVE-2020-9488
> The SmtpAppender did not verify the host name matched the SSL/TLS certificate
> of an SMTPS connection which could allow an attacker with man-in-the-middle
> access to intercept log messages sent through SMTPS.
> h3. Mitigation
> Upgrade to 2.13.2 which supports this feature. Previous versions can set the
> system property {{mail.smtp.ssl.checkserveridentity}} to {{true}} to globally
> enable hostname verification for SMTPS connections.
> h3. Details
> CWE: 297
> CVSS: 3.7 (Low) CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
> Reporter: Peter Stöckli <[email protected]>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
