|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-1: CVE-2020-9488: log4j: improper validation of certificate with host mismatch in SMTP appender | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Wolfgang Frisch <wolfgang.frisch> |
| Component: | Incidents | Assignee: | Security Team bot <security-team> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Minor | ||
| Priority: | P4 - Low | CC: | pmonrealgonzalez, smash_bz |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/258459/ | ||
| Whiteboard: | CVSSv3.1:SUSE:CVE-2020-9488:3.7:(AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) | ||
| Found By: | Security Response Team | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Attachments: | Backported patch for version 2.x | ||
|
Description
Wolfgang Frisch
2020-04-27 05:23:30 UTC
Mitigation: Users should upgrade to Apache Log4j 2.13.2 which fixed this issue in LOG4J2-2819 by making SSL settings configurable for SMTPS mail sessions. As a workaround for previous releases, users can set the `mail.smtp.ssl.checkserveridentity` system property to `true` to enable SMTPS hostname verification for all SMTPS mail sessions. Updated to 2.13.3 in Factory: https://build.opensuse.org/request/show/798213 Master commit: https://gitbox.apache.org/repos/asf?p=logging-log4j2.git;h=fb91a3d Version 2.x commits: https://gitbox.apache.org/repos/asf?p=logging-log4j2.git;h=6851b50 https://gitbox.apache.org/repos/asf?p=logging-log4j2.git;h=96b3293 SLE-15-SP2 submission: https://build.suse.de/request/show/217008 Created attachment 836947 [details]
Backported patch for version 2.x
|