SB2026070115 - Multiple vulnerabilities in IBM webMethods BPM
Published: July 1, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Improper Certificate Validation (CVE-ID: CVE-2026-34477)
CWE-ID: CWE-295 - Improper Certificate Validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a man-in-the-middle attack.
The vulnerability exists due to improper certificate validation in the TLS hostname verification handling of the verifyHostName attribute in Log4j Core SSL configuration when establishing TLS connections for SMTP, Socket, or Syslog appenders. A remote attacker can present a certificate issued by a trusted certificate authority to perform a man-in-the-middle attack.
The issue occurs only when TLS is configured via a nested SSL configuration element, and it does not affect the HTTP appender.
2) Improper Output Neutralization for Logs (CVE-ID: CVE-2026-34478)
CWE-ID: CWE-117 - Improper Output Neutralization for Logs
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to inject arbitrary log entries.
The vulnerability exists due to improper neutralization of CRLF sequences in Rfc5424Layout when processing logged data with direct Rfc5424Layout configuration using TCP framing. A remote attacker can supply specially crafted input containing CRLF sequences to inject arbitrary log entries.
Only users of stream-based syslog services who configure Rfc5424Layout directly are affected. Users of the SyslogAppender are not affected.
3) Improper validation of certificate with host mismatch (CVE-ID: CVE-2025-68161)
CWE-ID: CWE-297 - Improper Validation of Certificate with Host Mismatch
CVSSv4: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to the Socket Appender does not perform TLS hostname verification of the peer certificate, even when the "verifyHostName" configuration attribute or the "log4j2.sslVerifyHostName" system property is set to true. A remote attacker can perform MitM attack and intercept or redirect the log traffic.
Remediation
Install update from vendor's website.