This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/logging-site.git
The following commit(s) were added to refs/heads/asf-staging by this push:
new fe13ca1d Automatic Site Publish by Buildbot
fe13ca1d is described below
commit fe13ca1d1d6202ca00d00933371b364c1e54a246
Author: buildbot <[email protected]>
AuthorDate: Thu Dec 18 19:03:06 2025 +0000
Automatic Site Publish by Buildbot
---
content/cyclonedx/vdr.xml | 54 +++++++++++++++++++++++-
content/feed.xml | 2 +-
content/security.html | 102 ++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 155 insertions(+), 3 deletions(-)
diff --git a/content/cyclonedx/vdr.xml b/content/cyclonedx/vdr.xml
index f9d382b1..c6e4acf8 100644
--- a/content/cyclonedx/vdr.xml
+++ b/content/cyclonedx/vdr.xml
@@ -40,11 +40,11 @@
<bom xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns="http://cyclonedx.org/schema/bom/1.6";
xsi:schemaLocation="http://cyclonedx.org/schema/bom/1.6
https://cyclonedx.org/schema/bom-1.6.xsd";
- version="4"
+ version="5"
serialNumber="urn:uuid:dfa35519-9734-4259-bba1-3e825cf4be06">
<metadata>
- <timestamp>2025-08-22T07:31:10Z</timestamp>
+ <timestamp>2025-12-18T16:09:38Z</timestamp>
<manufacturer>
<name>Apache Logging Services</name>
<url>https://logging.apache.org</url>
@@ -67,6 +67,56 @@
<vulnerabilities>
+ <vulnerability>
+ <id>CVE-2025-68161</id>
+ <source>
+ <name>NVD</name>
+ <url>https://nvd.nist.gov/vuln/detail/CVE-2025-68161</url>
+ </source>
+ <ratings>
+ <rating>
+ <source>
+ <name>The Apache Software Foundation</name>
+ <url>
+
<![CDATA[https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N]]></url>
+ </source>
+ <score>6.3</score>
+ <severity>medium</severity>
+ <method>CVSSv4</method>
+
<vector>AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N</vector>
+ </rating>
+ </ratings>
+ <cwes>
+ <cwe>297</cwe>
+ </cwes>
+ <description><![CDATA[The Socket Appender in Apache Log4j Core
versions `2.0-beta9` through `2.25.2` does not perform TLS hostname
verification of the peer certificate, even when the
+https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName[`verifyHostName`]
+configuration attribute or the
+https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName[`log4j2.sslVerifyHostName`]
+system property is set to `true`.
+
+This issue may allow a man-in-the-middle attacker to intercept or redirect log
traffic under the following conditions:
+
+* The attacker is able to intercept or redirect network traffic between the
client and the log receiver.
+* The attacker can present a server certificate issued by a certification
authority trusted by the Socket Appender’s configured trust store (or by the
default Java trust store if no custom trust store is
configured).]]></description>
+ <recommendation><![CDATA[Users are advised to upgrade to Apache Log4j
Core version `2.25.3`, which fully addresses this issue.
+
+For earlier versions, the risk can be reduced by carefully restricting the
trust store used by the Socket Appender.]]></recommendation>
+ <created>2025-12-18T16:09:38Z</created>
+ <published>2025-12-18T16:09:38Z</published>
+ <updated>2025-12-18T16:09:38Z</updated>
+ <affects>
+ <target>
+
<ref>pkg:maven/org.apache.logging.log4j/log4j-core?type=jar</ref>
+ <versions>
+ <version>
+
<range><![CDATA[vers:maven/>=2.0-beta9|<2.25.3]]></range>
+ </version>
+ </versions>
+ </target>
+ </affects>
+ </vulnerability>
+
<vulnerability>
<id>CVE-2025-54813</id>
<source>
diff --git a/content/feed.xml b/content/feed.xml
index 1d207985..06c279d0 100644
--- a/content/feed.xml
+++ b/content/feed.xml
@@ -1,4 +1,4 @@
-<?xml version="1.0" encoding="utf-8"?><feed
xmlns="http://www.w3.org/2005/Atom"; ><generator uri="https://jekyllrb.com/";
version="4.4.1">Jekyll</generator><link href="/feed.xml" rel="self"
type="application/atom+xml" /><link href="/" rel="alternate" type="text/html"
/><updated>2025-08-27T17:31:48+00:00</updated><id>/feed.xml</id><title
type="html">Apache Software Foundation - Logging
Services</title><subtitle>Write an awesome description for your new site here.
You can edit this line in _ [...]
+<?xml version="1.0" encoding="utf-8"?><feed
xmlns="http://www.w3.org/2005/Atom"; ><generator uri="https://jekyllrb.com/";
version="4.4.1">Jekyll</generator><link href="/feed.xml" rel="self"
type="application/atom+xml" /><link href="/" rel="alternate" type="text/html"
/><updated>2025-12-18T19:03:05+00:00</updated><id>/feed.xml</id><title
type="html">Apache Software Foundation - Logging
Services</title><subtitle>Write an awesome description for your new site here.
You can edit this line in _ [...]
<p>A <strong>Vulnerability Exploitability eXchange (VEX)</strong> is a
machine-readable file used to indicate whether vulnerabilities in an
application’s third-party dependencies are actually exploitable.</p>
diff --git a/content/security.html b/content/security.html
index cdd60beb..76e506c6 100644
--- a/content/security.html
+++ b/content/security.html
@@ -452,6 +452,108 @@ We choose to pool all information on this one page,
allowing easy searching for
</table>
</div>
<div class="sect2">
+<h3 id="CVE-2025-68161"><a
href="https://nvd.nist.gov/vuln/detail/CVE-2025-68161";>CVE-2025-68161</a></h3>
+<table class="tableblock frame-all grid-all stretch">
+<colgroup>
+<col style="width: 16.6666%;">
+<col style="width: 83.3334%;">
+</colgroup>
+<tbody>
+<tr>
+<th class="tableblock halign-left valign-top"><p
class="tableblock">Summary</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Missing
TLS hostname verification in Socket appender</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 4.x
Score & Vector</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">6.3 MEDIUM
(CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N)</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Components
affected</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Apache
Log4j Core</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
affected</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>[2.0-beta9, 2.25.3)</code></p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
fixed</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>2.25.3</code></p></td>
+</tr>
+</tbody>
+</table>
+<div class="sect3">
+<h4 id="CVE-2025-68161-description">Description</h4>
+<div class="paragraph">
+<p>The Socket Appender in Apache Log4j Core versions <code>2.0-beta9</code>
through <code>2.25.2</code> does not perform TLS hostname verification of the
peer certificate, even when the
+<a
href="https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName";><code>verifyHostName</code></a>
+configuration attribute or the
+<a
href="https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName";><code>log4j2.sslVerifyHostName</code></a>
+system property is set to <code>true</code>.</p>
+</div>
+<div class="paragraph">
+<p>This issue may allow a man-in-the-middle attacker to intercept or redirect
log traffic under the following conditions:</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p>The attacker is able to intercept or redirect network traffic between the
client and the log receiver.</p>
+</li>
+<li>
+<p>The attacker can present a server certificate issued by a certification
authority trusted by the Socket Appender’s configured trust store (or by the
default Java trust store if no custom trust store is configured).</p>
+</li>
+</ul>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2025-68161-remediation">Remediation</h4>
+<div class="paragraph">
+<p>Users are advised to upgrade to Apache Log4j Core version
<code>2.25.3</code>, which fully addresses this issue.</p>
+</div>
+<div class="paragraph">
+<p>For earlier versions, the risk can be reduced by carefully restricting the
trust store used by the Socket Appender.</p>
+</div>
+<div class="admonitionblock note">
+<table>
+<tr>
+<td class="icon">
+<div class="title">Note</div>
+</td>
+<td class="content">
+<div class="paragraph">
+<p>When configuring a trust store for Log4j Core, we recommend following
established best practices.
+For example,
+<a href="https://csrc.nist.gov/pubs/sp/800/52/r2/final";>NIST SP 800-52 Rev.
2</a>
+(§4.5.2) recommends using a trust store that contains only the CA certificates
required for the intended communication scope, such as a private or enterprise
CA.</p>
+</div>
+</td>
+</tr>
+</table>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2025-68161-credits">Credits</h4>
+<div class="paragraph">
+<p>This issue was discovered by Samuli Leinonen.</p>
+</div>
+<div class="paragraph">
+<p>It was reported through the <a
href="https://yeswehack.com/programs/log4j-bug-bounty-program";>Apache Log4j Bug
Bounty Program on YesWeHack</a> funded by the Sovereign Tech Agency.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2025-68161-references">References</h4>
+<div class="ulist">
+<ul>
+<li>
+<p><a
href="https://nvd.nist.gov/vuln/detail/CVE-2025-68161";>CVE-2025-68161</a></p>
+</li>
+<li>
+<p><a href="https://github.com/apache/logging-log4j2/pull/4002";>Pull request
that fixes the issue</a></p>
+</li>
+</ul>
+</div>
+</div>
+</div>
+<div class="sect2">
<h3 id="CVE-2025-54813"><a
href="https://nvd.nist.gov/vuln/detail/CVE-2025-54813";>CVE-2025-54813</a></h3>
<table class="tableblock frame-all grid-all stretch">
<colgroup>
