Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN896
_____________________________________________________________________

DATE                : 22/12/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Log4j Core versions prior
                                    to 2.25.3.

=====================================================================
https://lists.apache.org/thread/tv58ozvsvt9nobwkzlhdztwq2b131f9h
_____________________________________________________________________

CVE-2025-68161: Apache Log4j Core: Missing TLS hostname verification
in Socket appender

Severity: moderate 

Affected versions:

- Apache Log4j Core (org.apache.logging.log4j:log4j-core) 2.0-beta9
before 2.25.3

Description:

The Socket Appender in Apache Log4j Core versions 2.0-beta9 through
2.25.2 does not perform TLS hostname verification of the peer
certificate, even when the  verifyHostName
https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName
configuration attribute or the  log4j2.sslVerifyHostName
https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName
system property is set to true.

This issue may allow a man-in-the-middle attacker to intercept or
redirect log traffic under the following conditions:

  *  The attacker is able to intercept or redirect network traffic
between the client and the log receiver.
  *  The attacker can present a server certificate issued by a
certification authority trusted by the Socket Appender’s configured
trust store (or by the default Java trust store if no custom trust
store is configured).


Users are advised to upgrade to Apache Log4j Core version 2.25.3,
which addresses this issue.

As an alternative mitigation, the Socket Appender may be configured
to use a private or restricted trust root to limit the set of
trusted certificates.

Credit:

Samuli Leinonen (finder)

References:

https://github.com/apache/logging-log4j2/pull/4002
https://logging.apache.org/security.html#CVE-2025-68161
https://logging.apache.org/cyclonedx/vdr.xml
https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName
https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName
https://logging.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-68161


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================