Improper Certificate Validation in Apache Log4j

#VU27487 Improper Certificate Validation in Apache Log4j

Published: 2020-05-04

Vulnerability identifier: #VU27487

Vulnerability risk: Low

CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-9488

CWE-ID: CWE-295

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Apache Log4j
Universal components / Libraries / Libraries used by multiple products

Vendor: Apache Foundation

Description

The vulnerability allows a remote attacker to perform man-in-the-middle attack.

The vulnerability exists due to the Apache Log4j SMTP appender does not validate SSL certificates. A remote attacker can perform a MitM attack, intercept and decrypt network traffic.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Apache Log4j: 2.13.1

External links
http://issues.apache.org/jira/browse/LOG4J2-2819

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Sterling Order Management

Multiple vulnerabilities in IBM Cloud Pak for Multicloud Management

Gentoo update for Apache Log4j

Multiple vulnerabilities in IBM Application Performance Management products

Multiple vulnerabilities in IBM QRadar SIEM

Multiple vulnerabilities in Netcool Operations Insight

Multiple vulnerabilities in IBM Security Access Manager for Enterprise Single Sign-On

Multiple vulnerabilities in IBM Cloud Pak for Watson AIOps

Multiple vulnerabilities in IBM Disconnected Log Collector

Multiple vulnerabilities in IBM Operations Analytics - Log Analysis