Skip to main content

Log4J CVE-2020-9488

LOW
Improper Certificate Validation (CWE-295)
2020-04-27 security@apache.org
Information Disclosure Apache Log4J Communications Application Session Controller Communications Billing And Revenue Management Communications Eagle Ftp Table Base Retrieval Communications Offline Mediation Controller Communications Services Gatekeeper Communications Unified Inventory Management Data Integrator Enterprise Manager For Peoplesoft Financial Services Analytical Applications Infrastructure Financial Services Institutional Performance Analytics Financial Services Market Risk Measurement And Management Financial Services Price Creation And Discovery Financial Services Retail Customer Analytics Flexcube Core Banking Flexcube Private Banking Health Sciences Information Manager Insurance Insbridge Rating And Underwriting Insurance Policy Administration J2Ee Insurance Rules Palette Jd Edwards World Security Oracle Goldengate Application Adapters Peoplesoft Enterprise Peopletools Policy Automation Policy Automation Connector For Siebel Policy Automation For Mobile Devices Primavera Unifier Retail Advanced Inventory Planning Retail Assortment Planning Retail Bulk Data Integration Retail Customer Management And Segmentation Foundation Retail Eftlink Retail Insights Cloud Service Suite Retail Integration Bus Retail Order Broker Cloud Service Retail Predictive Application Server Retail Xstore Point Of Service Siebel Apps Marketing Siebel Ui Framework Spatial And Graph Storagetek Acsls Storagetek Tape Analytics Sw Tool Utilities Framework Weblogic Server Debian Linux Reload4J
3.7
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Apr 27, 2020 - 16:15 cve.org
LOW 3.7

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 598 maven packages depend on org.apache.logging.log4j:log4j-core (254 direct, 347 indirect)

Ecosystem-wide dependent count for version 2.13.0.

DescriptionCVE.org

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1

AnalysisAI

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required.

Technical ContextAI

This vulnerability is classified under CWE-295. Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1 Affected products include: Apache Log4J, Oracle Communications Application Session Controller, Oracle Communications Billing And Revenue Management, Oracle Communications Eagle Ftp Table Base Retrieval, Oracle Communications Offline Mediation Controller.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

Share

CVE-2020-9488 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy