[ https://issues.apache.org/jira/browse/LOG4J2-2819?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Remko Popma updated LOG4J2-2819: -------------------------------- Fix Version/s: 2.12.3 > Add support for specifying an SSL configuration for SmtpAppender > ---------------------------------------------------------------- > > Key: LOG4J2-2819 > URL: https://issues.apache.org/jira/browse/LOG4J2-2819 > Project: Log4j 2 > Issue Type: Improvement > Components: Appenders > Affects Versions: 2.13.1 > Reporter: Matt Sicker > Assignee: Matt Sicker > Priority: Major > Fix For: 2.13.2, 2.12.3 > > > The SmtpAppender should be able to use an SSL configuration element to > specify a trust store, host name verification, and a key store, so that smtps > connections can be further configured. This should re-use the same {{<SSL/>}} > configuration element that's used elsewhere like HttpAppender. > h2. CVE-2020-9488 > The SmtpAppender did not verify the host name matched the SSL/TLS certificate > of an SMTPS connection which could allow an attacker with man-in-the-middle > access to intercept log messages sent through SMTPS. > h3. Mitigation > Upgrade to 2.13.2 which supports this feature. Previous versions can set the > system property {{mail.smtp.ssl.checkserveridentity}} to {{true}} to globally > enable hostname verification for SMTPS connections. > h3. Details > CWE: 297 > CVSS: 3.7 (Low) CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N > Reporter: Peter Stöckli <peter.stoc...@alphabot.com> -- This message was sent by Atlassian Jira (v8.20.1#820001)