Bugzilla – Bug 1170535
VUL-1: CVE-2020-9488: log4j: improper validation of certificate with host mismatch in SMTP appender
Last modified: 2022-02-13 11:46:05 UTC
The SMTP appender component of Log4j does not validate certificates with mismatching host names properly. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that component.
Mitigation: Users should upgrade to Apache Log4j 2.13.2 which fixed
this issue in LOG4J2-2819 by making SSL settings configurable for
SMTPS mail sessions. As a workaround for previous releases, users can
set the `mail.smtp.ssl.checkserveridentity` system property to `true`
to enable SMTPS hostname verification for all SMTPS mail sessions.
Updated to 2.13.3 in Factory:
Version 2.x commits:
Created attachment 836947 [details]
Backported patch for version 2.x