Bug 1170535 (CVE-2020-9488)

Summary: VUL-1: CVE-2020-9488: log4j: improper validation of certificate with host mismatch in SMTP appender
Product: [Novell Products] SUSE Security Incidents Reporter: Wolfgang Frisch <wolfgang.frisch>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: pmonrealgonzalez, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/258459/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-9488:3.7:(AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: Backported patch for version 2.x

Description Wolfgang Frisch 2020-04-27 05:23:30 UTC

The SMTP appender component of Log4j does not validate certificates with mismatching host names properly. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that component.

Comment 1 Wolfgang Frisch 2020-04-27 05:23:47 UTC
Mitigation: Users should upgrade to Apache Log4j 2.13.2 which fixed
this issue in LOG4J2-2819 by making SSL settings configurable for
SMTPS mail sessions. As a workaround for previous releases, users can
set the `mail.smtp.ssl.checkserveridentity` system property to `true`
to enable SMTPS hostname verification for all SMTPS mail sessions.
Comment 2 Pedro Monreal Gonzalez 2020-04-27 12:04:29 UTC
Updated to 2.13.3 in Factory:
Comment 4 Pedro Monreal Gonzalez 2020-04-28 11:16:13 UTC
SLE-15-SP2 submission:
Comment 5 Pedro Monreal Gonzalez 2020-04-28 11:19:28 UTC
Created attachment 836947 [details]
Backported patch for version 2.x