Bugzilla – Bug 1170535
VUL-1: CVE-2020-9488: log4j: improper validation of certificate with host mismatch in SMTP appender
Last modified: 2022-02-13 11:46:05 UTC
CVE-2020-9488 The SMTP appender component of Log4j does not validate certificates with mismatching host names properly. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that component. References: https://issues.apache.org/jira/browse/LOG4J2-2819 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-9488 http://seclists.org/oss-sec/2020/q2/72
Mitigation: Users should upgrade to Apache Log4j 2.13.2 which fixed this issue in LOG4J2-2819 by making SSL settings configurable for SMTPS mail sessions. As a workaround for previous releases, users can set the `mail.smtp.ssl.checkserveridentity` system property to `true` to enable SMTPS hostname verification for all SMTPS mail sessions.
Updated to 2.13.3 in Factory: https://build.opensuse.org/request/show/798213
Master commit: https://gitbox.apache.org/repos/asf?p=logging-log4j2.git;h=fb91a3d Version 2.x commits: https://gitbox.apache.org/repos/asf?p=logging-log4j2.git;h=6851b50 https://gitbox.apache.org/repos/asf?p=logging-log4j2.git;h=96b3293
SLE-15-SP2 submission: https://build.suse.de/request/show/217008
Created attachment 836947 [details] Backported patch for version 2.x