[jira] [Commented] (KAFKA-20038) [CVE-2025-68161] [log4j-core] [2.17.1][Kafka]

Wed, 07 Jan 2026 00:37:11 -0800 


    [ 
https://issues.apache.org/jira/browse/KAFKA-20038?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18050325#comment-18050325
 ] 

Chia-Ping Tsai commented on KAFKA-20038:
----------------------------------------

trunk: 
[https://github.com/apache/kafka/commit/84fa53142b73821c7dea954a96d6a7becd9c9d73]

4.2: 
https://github.com/apache/kafka/commit/24ef4f0a13bf0bf2a7b9d908a6b44aec8cb62956

> [CVE-2025-68161] [log4j-core] [2.17.1][Kafka]
> ---------------------------------------------
>
>                 Key: KAFKA-20038
>                 URL: https://issues.apache.org/jira/browse/KAFKA-20038
>             Project: Kafka
>          Issue Type: Bug
>            Reporter: Krishna Chidrawar
>            Assignee: Chia-Ping Tsai
>            Priority: Critical
>             Fix For: 4.2.0, 4.0.2, 4.1.2
>
>
> The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 
> does not perform TLS hostname verification of the peer certificate, even when 
> the verifyHostName 
> [https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName]
>  configuration attribute or the log4j2.sslVerifyHostName 
> [https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName]
>  system property is set to true. This issue may allow a man-in-the-middle 
> attacker to intercept or redirect log traffic under the following conditions: 
> * The attacker is able to intercept or redirect network traffic between the 
> client and the log receiver. * The attacker can present a server certificate 
> issued by a certification authority trusted by the Socket Appender's 
> configured trust store (or by the default Java trust store if no custom trust 
> store is configured). Users are advised to upgrade to Apache Log4j Core 
> version 2.25.3, which addresses this issue. As an alternative mitigation, the 
> Socket Appender may be configured to use a private or restricted trust root 
> to limit the set of trusted certificates.
> CVE LINK : [https://nvd.nist.gov/vuln/detail/CVE-2025-68161]
> Fix version : 2.25.3



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to