This is an automated email from the ASF dual-hosted git repository.
pkarwasz pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/logging-site.git
The following commit(s) were added to refs/heads/main by this push:
new 9e1295df docs: add CVE-2025-68161 details
9e1295df is described below
commit 9e1295df1af1991d8c5aa9c8122f1375bd2079e2
Author: Piotr P. Karwasz <[email protected]>
AuthorDate: Thu Dec 18 17:56:28 2025 +0100
docs: add CVE-2025-68161 details
Document the lack of host name verification in Socket Appender.
---
_vulnerabilities.adoc | 51 ++++++++++++++++++++++++++++++++++++++++++++++++
cyclonedx/vdr.xml | 54 +++++++++++++++++++++++++++++++++++++++++++++++++--
2 files changed, 103 insertions(+), 2 deletions(-)
diff --git a/_vulnerabilities.adoc b/_vulnerabilities.adoc
index 087e2149..3da02437 100644
--- a/_vulnerabilities.adoc
+++ b/_vulnerabilities.adoc
@@ -29,6 +29,57 @@ Version ranges follow the
https://github.com/package-url/vers-spec/blob/main/VER
For brevity, mathematical interval notation is used, with the union operator
(`∪`) to represent multiple ranges.
====
+[#CVE-2025-68161]
+== {cve-url-prefix}/CVE-2025-68161[CVE-2025-68161]
+
+[cols="1h,5"]
+|===
+|Summary |Missing TLS hostname verification in Socket appender
+|CVSS 4.x Score & Vector |6.3 MEDIUM
(CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N)
+|Components affected |Apache Log4j Core
+|Versions affected |`[2.0-beta9, 2.25.3)`
+|Versions fixed |`2.25.3`
+|===
+
+[#CVE-2025-68161-description]
+=== Description
+
+The Socket Appender in Apache Log4j Core versions `2.0-beta9` through `2.25.2`
does not perform TLS hostname verification of the peer certificate, even when
the
+https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName[`verifyHostName`]
+configuration attribute or the
+https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName[`log4j2.sslVerifyHostName`]
+system property is set to `true`.
+
+This issue may allow a man-in-the-middle attacker to intercept or redirect log
traffic under the following conditions:
+
+* The attacker is able to intercept or redirect network traffic between the
client and the log receiver.
+* The attacker can present a server certificate issued by a certification
authority trusted by the Socket Appender’s configured trust store (or by the
default Java trust store if no custom trust store is configured).
+
+[#CVE-2025-68161-remediation]
+=== Remediation
+Users are advised to upgrade to Apache Log4j Core version `2.25.3`, which
fully addresses this issue.
+
+For earlier versions, the risk can be reduced by carefully restricting the
trust store used by the Socket Appender.
+
+[NOTE]
+====
+When configuring a trust store for Log4j Core, we recommend following
established best practices.
+For example,
+https://csrc.nist.gov/pubs/sp/800/52/r2/final[NIST SP 800-52 Rev. 2]
+(§4.5.2) recommends using a trust store that contains only the CA certificates
required for the intended communication scope, such as a private or enterprise
CA.
+====
+
+[#CVE-2025-68161-credits]
+=== Credits
+This issue was discovered by Samuli Leinonen.
+
+It was reported through the
https://yeswehack.com/programs/log4j-bug-bounty-program[Apache Log4j Bug Bounty
Program on YesWeHack] funded by the Sovereign Tech Agency.
+
+[#CVE-2025-68161-references]
+=== References
+* {cve-url-prefix}/CVE-2025-68161[CVE-2025-68161]
+* https://github.com/apache/logging-log4j2/pull/4002[Pull request that fixes
the issue]
+
[#CVE-2025-54813]
== {cve-url-prefix}/CVE-2025-54813[CVE-2025-54813]
diff --git a/cyclonedx/vdr.xml b/cyclonedx/vdr.xml
index f9d382b1..c6e4acf8 100644
--- a/cyclonedx/vdr.xml
+++ b/cyclonedx/vdr.xml
@@ -40,11 +40,11 @@
<bom xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns="http://cyclonedx.org/schema/bom/1.6";
xsi:schemaLocation="http://cyclonedx.org/schema/bom/1.6
https://cyclonedx.org/schema/bom-1.6.xsd";
- version="4"
+ version="5"
serialNumber="urn:uuid:dfa35519-9734-4259-bba1-3e825cf4be06">
<metadata>
- <timestamp>2025-08-22T07:31:10Z</timestamp>
+ <timestamp>2025-12-18T16:09:38Z</timestamp>
<manufacturer>
<name>Apache Logging Services</name>
<url>https://logging.apache.org</url>
@@ -67,6 +67,56 @@
<vulnerabilities>
+ <vulnerability>
+ <id>CVE-2025-68161</id>
+ <source>
+ <name>NVD</name>
+ <url>https://nvd.nist.gov/vuln/detail/CVE-2025-68161</url>
+ </source>
+ <ratings>
+ <rating>
+ <source>
+ <name>The Apache Software Foundation</name>
+ <url>
+
<![CDATA[https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N]]></url>
+ </source>
+ <score>6.3</score>
+ <severity>medium</severity>
+ <method>CVSSv4</method>
+
<vector>AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N</vector>
+ </rating>
+ </ratings>
+ <cwes>
+ <cwe>297</cwe>
+ </cwes>
+ <description><![CDATA[The Socket Appender in Apache Log4j Core
versions `2.0-beta9` through `2.25.2` does not perform TLS hostname
verification of the peer certificate, even when the
+https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName[`verifyHostName`]
+configuration attribute or the
+https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName[`log4j2.sslVerifyHostName`]
+system property is set to `true`.
+
+This issue may allow a man-in-the-middle attacker to intercept or redirect log
traffic under the following conditions:
+
+* The attacker is able to intercept or redirect network traffic between the
client and the log receiver.
+* The attacker can present a server certificate issued by a certification
authority trusted by the Socket Appender’s configured trust store (or by the
default Java trust store if no custom trust store is
configured).]]></description>
+ <recommendation><![CDATA[Users are advised to upgrade to Apache Log4j
Core version `2.25.3`, which fully addresses this issue.
+
+For earlier versions, the risk can be reduced by carefully restricting the
trust store used by the Socket Appender.]]></recommendation>
+ <created>2025-12-18T16:09:38Z</created>
+ <published>2025-12-18T16:09:38Z</published>
+ <updated>2025-12-18T16:09:38Z</updated>
+ <affects>
+ <target>
+
<ref>pkg:maven/org.apache.logging.log4j/log4j-core?type=jar</ref>
+ <versions>
+ <version>
+
<range><![CDATA[vers:maven/>=2.0-beta9|<2.25.3]]></range>
+ </version>
+ </versions>
+ </target>
+ </affects>
+ </vulnerability>
+
<vulnerability>
<id>CVE-2025-54813</id>
<source>
