CVE-2025-68161
Gravedad CVSS v4.0:
MEDIA
Tipo:
CWE-297
Validación incorrecta de certificados con host no coincidente
Fecha de publicación:
18/12/2025
Última modificación:
19/12/2025
Descripción
*** Pendiente de traducción *** The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName configuration attribute or the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property is set to true.<br />
<br />
This issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following conditions:<br />
<br />
* The attacker is able to intercept or redirect network traffic between the client and the log receiver.<br />
* The attacker can present a server certificate issued by a certification authority trusted by the Socket Appender’s configured trust store (or by the default Java trust store if no custom trust store is configured).<br />
<br />
<br />
Users are advised to upgrade to Apache Log4j Core version 2.25.3, which addresses this issue.<br />
<br />
As an alternative mitigation, the Socket Appender may be configured to use a private or restricted trust root to limit the set of trusted certificates.
Impacto
Puntuación base 4.0
6.30
Gravedad 4.0
MEDIA
Referencias a soluciones, herramientas e información
- https://github.com/apache/logging-log4j2/pull/4002
- https://lists.apache.org/thread/xr33kyxq3sl67lwb61ggvm1fzc8k7dvx
- https://logging.apache.org/cyclonedx/vdr.xml
- https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName
- https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName
- https://logging.apache.org/security.html#CVE-2025-68161
- http://www.openwall.com/lists/oss-security/2025/12/18/1