Bug 1170535 - (CVE-2020-9488) VUL-1: CVE-2020-9488: log4j: improper validation of certificate with host mismatch in SMTP appender
(CVE-2020-9488)
VUL-1: CVE-2020-9488: log4j: improper validation of certificate with host mis...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/258459/
CVSSv3.1:SUSE:CVE-2020-9488:3.7:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-04-27 05:23 UTC by Wolfgang Frisch
Modified: 2022-02-13 11:46 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
Backported patch for version 2.x (23.59 KB, patch)
2020-04-28 11:19 UTC, Pedro Monreal Gonzalez
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Frisch 2020-04-27 05:23:30 UTC
CVE-2020-9488

The SMTP appender component of Log4j does not validate certificates with mismatching host names properly. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that component.

References:
https://issues.apache.org/jira/browse/LOG4J2-2819
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-9488
http://seclists.org/oss-sec/2020/q2/72
Comment 1 Wolfgang Frisch 2020-04-27 05:23:47 UTC
Mitigation: Users should upgrade to Apache Log4j 2.13.2 which fixed
this issue in LOG4J2-2819 by making SSL settings configurable for
SMTPS mail sessions. As a workaround for previous releases, users can
set the `mail.smtp.ssl.checkserveridentity` system property to `true`
to enable SMTPS hostname verification for all SMTPS mail sessions.
Comment 2 Pedro Monreal Gonzalez 2020-04-27 12:04:29 UTC
Updated to 2.13.3 in Factory:
   https://build.opensuse.org/request/show/798213
Comment 4 Pedro Monreal Gonzalez 2020-04-28 11:16:13 UTC
SLE-15-SP2 submission:
   https://build.suse.de/request/show/217008
Comment 5 Pedro Monreal Gonzalez 2020-04-28 11:19:28 UTC
Created attachment 836947 [details]
Backported patch for version 2.x