Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Reference: https://issues.apache.org/jira/browse/LOG4J2-2819
Created log4j tracking bugs for this issue: Affects: fedora-all [bug 1831142] Created log4j12 tracking bugs for this issue: Affects: fedora-all [bug 1831143]
Upstream patch: https://github.com/apache/logging-log4j2/commit/6851b50/
This vulnerability is out of security support scope for the following products: * Red Hat Enterprise Application Platform 6 * Red Hat Enterprise Application Platform 5 * Red Hat JBoss Operations Network 3 * Red Hat JBoss BRMS 5 * Red Hat JBoss BRMS 6 * Red Hat JBoss BPMS 6 * Red Hat JBoss Fuse 6 * Red Hat JBoss Fuse Service Works 6 * Red Hat JBoss SOA Platform 5 * Red Hat JBoss Active MQ 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Mitigation: Previous versions can set the system property mail.smtp.ssl.checkserveridentity to true to globally enable hostname verification for SMTPS connections.
The following OpenShift components package a version of log4j which includes the vulnerable SMTP class (included in the log4j-core pacakge for log4j v2): - openshift4/ose-logging-elasticsearch5 - openshift4/ose-metering-hive
This issue has been addressed in the following products: Red Hat Openshift Application Runtimes Via RHSA-2020:2391 https://access.redhat.com/errata/RHSA-2020:2391
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-9488
This issue has been addressed in the following products: Red Hat Data Grid Via RHSA-2020:3626 https://access.redhat.com/errata/RHSA-2020:3626
This issue has been addressed in the following products: Red Hat Data Grid 7.3.7 Via RHSA-2020:3779 https://access.redhat.com/errata/RHSA-2020:3779
This issue has been addressed in the following products: AMQ Clients 2.y for RHEL 6 AMQ Clients 2.y for RHEL 8 AMQ Clients 2.y for RHEL 7 Via RHSA-2020:3817 https://access.redhat.com/errata/RHSA-2020:3817
This issue has been addressed in the following products: Red Hat Fuse 7.8.0 Via RHSA-2020:5568 https://access.redhat.com/errata/RHSA-2020:5568
This issue has been addressed in the following products: RHDM 7.10.0 Via RHSA-2021:0603 https://access.redhat.com/errata/RHSA-2021:0603
This issue has been addressed in the following products: RHPAM 7.10.1 Via RHSA-2021:1044 https://access.redhat.com/errata/RHSA-2021:1044
This issue has been addressed in the following products: Red Hat Fuse 7.10 Via RHSA-2021:5134 https://access.redhat.com/errata/RHSA-2021:5134
Red Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it does not make use of SMTP Appender by default and only use logback framework for logging.
This issue has been addressed in the following products: Red Hat JBoss Data Virtualization 6.4.8.SP1 Via RHSA-2022:0497 https://access.redhat.com/errata/RHSA-2022:0497
This issue has been addressed in the following products: Red Hat JBoss Data Virtualization 6.4.8.SP2 Via RHSA-2022:0507 https://access.redhat.com/errata/RHSA-2022:0507