#VU27487 Improper Certificate Validation in Apache Log4j


Published: 2020-05-04

Vulnerability identifier: #VU27487

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: CVE-2020-9488

CWE-ID:

Exploitation vector: Network

Exploit availability:

Vulnerable software:
Apache Log4j
Universal components / Libraries / Libraries used by multiple products

Vendor: Apache Foundation

Description

The vulnerability allows a remote attacker to perform man-in-the-middle attack.

The vulnerability exists due to the Apache Log4j SMTP appender does not validate SSL certificates. A remote attacker can perform a MitM attack, intercept and decrypt network traffic.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Apache Log4j: 2.13.1

Fixed software versions

CPE

External links
http://issues.apache.org/jira/browse/LOG4J2-2819

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Application Performance Management products
Multiple vulnerabilities in IBM QRadar SIEM
Multiple vulnerabilities in Netcool Operations Insight
Multiple vulnerabilities in IBM Security Access Manager for Enterprise Single Sign-On
Multiple vulnerabilities in IBM Cloud Pak for Watson AIOps
Multiple vulnerabilities in IBM Disconnected Log Collector
Multiple vulnerabilities in IBM Operations Analytics - Log Analysis
Multiple vulnerabilities in Oracle StorageTek ACSLS
Multiple vulnerabilities in Red Hat JBoss Data Virtualization
Multiple vulnerabilities in Red Hat JBoss Data Virtualization