[
https://issues.apache.org/jira/browse/KAFKA-20038?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18050288#comment-18050288
]
Krishna Chidrawar commented on KAFKA-20038:
-------------------------------------------
Nope, you guys can pick this up.
> [CVE-2025-68161] [log4j-core] [2.17.1][Kafka]
> ---------------------------------------------
>
> Key: KAFKA-20038
> URL: https://issues.apache.org/jira/browse/KAFKA-20038
> Project: Kafka
> Issue Type: Bug
> Reporter: Krishna Chidrawar
> Assignee: Chia-Ping Tsai
> Priority: Critical
> Fix For: 4.2.0, 4.0.2, 4.1.2
>
>
> The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2
> does not perform TLS hostname verification of the peer certificate, even when
> the verifyHostName
> [https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName]
> configuration attribute or the log4j2.sslVerifyHostName
> [https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName]
> system property is set to true. This issue may allow a man-in-the-middle
> attacker to intercept or redirect log traffic under the following conditions:
> * The attacker is able to intercept or redirect network traffic between the
> client and the log receiver. * The attacker can present a server certificate
> issued by a certification authority trusted by the Socket Appender's
> configured trust store (or by the default Java trust store if no custom trust
> store is configured). Users are advised to upgrade to Apache Log4j Core
> version 2.25.3, which addresses this issue. As an alternative mitigation, the
> Socket Appender may be configured to use a private or restricted trust root
> to limit the set of trusted certificates.
> CVE LINK : [https://nvd.nist.gov/vuln/detail/CVE-2025-68161]
> Fix version : 2.25.3
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
