Apache Logging Companies has disclosed a vital safety vulnerability in Log4j Core that exposes purposes to potential interception of log information.
The flaw resides within the Socket Appender part. It impacts variations 2.0-beta9 by way of 2.25.2, making a man-in-the-middle assault vector for malicious actors.
The Socket Appender in affected Log4j variations fails to confirm the TLS hostname of peer certificates correctly. Even when directors explicitly allow the verification characteristic by way of configuration.
This oversight permits attackers positioned between a consumer and a log receiver to intercept or redirect delicate logging site visitors. The vulnerability requires particular situations to take advantage of.
CVE IDComponentAffected VersionsCVSS ScoreIssueCVE-2025-68161Apache Log4j Core2.0-beta9 by way of 2.25.26.3Missing TLS hostname verification in Socket appender
Attackers should intercept community site visitors between the consumer and the log receiver whereas presenting a server certificates issued by a trusted certification authority.
If the Socket Appender trusts that certificates by way of its configured belief retailer, the assault succeeds, doubtlessly exposing mission-critical log information.
Logging frameworks deal with delicate data by design, together with consumer actions, system occasions, and utility conduct information. Log information typically include delicate data that organizations should defend.
This vulnerability undermines that safety by permitting unauthorized third events to entry log streams with out detection.
The Apache Logging Companies Safety Staff assigned this problem a CVSS 4.0 rating of 6.3, categorized as MEDIUM severity.
The scoring displays the assault complexity and particular conditions required for profitable exploitation.
Background on Log4j Safety
Apache has launched model 2.25.3 of Log4j Core, which completely addresses this TLS hostname verification problem.
Organizations utilizing affected variations ought to prioritize upgrading instantly to safe their logging infrastructure.
For techniques unable to improve instantly, Apache recommends fastidiously limiting the usage of belief shops.
Following NIST SP 800-52 Rev. 2 pointers, directors ought to configure belief shops to include solely the required CA certificates required for particular communication scopes, equivalent to personal or enterprise CAs.
The Logging Companies Safety Staff maintains a complete safety vulnerability disclosure program.
The group prioritizes accuracy, completeness, and availability of safety data by way of its centralized vulnerability monitoring system and Vulnerability Disclosure Report revealed at logging.apache.org.
Organizations counting on Log4j ought to overview their present variations and implement obligatory updates promptly.
The Apache Logging Companies crew continues to watch dependencies and tackle safety threats affecting its broadly deployed logging options used throughout enterprise purposes globally.
Observe us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to characteristic your tales.
