2423705 – (CVE-2025-68161) CVE-2025-68161 Apache Log4j: Apache Log4j Core: Missing TLS hostname verification in Socket appender

Bug 2423705 (CVE-2025-68161) - CVE-2025-68161 Apache Log4j: Apache Log4j Core: Missing TLS hostname verification in Socket appender

Summary: CVE-2025-68161 Apache Log4j: Apache Log4j Core: Missing TLS hostname verifica...

Keywords:
Status:	NEW
Alias:	CVE-2025-68161
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2427873 2427874 2427875 2427876 2427877 2427878
Blocks:
TreeView+	depends on / blocked

Reported:	2025-12-18 21:02 UTC by OSIDB Bzimport
Modified:	2026-01-12 20:15 UTC (History)
CC List:	77 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-12-18 21:02:08 UTC

The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the  verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName  configuration attribute or the  log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName  system property is set to true.

This issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following conditions:

  *  The attacker is able to intercept or redirect network traffic between the client and the log receiver.
  *  The attacker can present a server certificate issued by a certification authority trusted by the Socket Appender’s configured trust store (or by the default Java trust store if no custom trust store is configured).


Users are advised to upgrade to Apache Log4j Core version 2.25.3, which addresses this issue.

As an alternative mitigation, the Socket Appender may be configured to use a private or restricted trust root to limit the set of trusted certificates.

Comment 3 michael.h.hall-1 2026-01-12 20:15:25 UTC

Tenable seems to be scanning for this as 

https://www.tenable.com/cve/CVE-2025-68161

Note You need to log in before you can comment on or make changes to this bug.

abrianik
alinfoot
amctagga
aoconnor
aprice
asoldano
ataylor
bbaranow
bbrownin
bmaxwell
bniver
brian.stansberry
caswilli
chfoley
csutherl
darran.lofthouse
dbruscin
dosoudil
drosa
dsoumis
dtrifiro
eric.wittmann
fjuma
flucifre
fmariani
ggrzybek
gmalinko
gmeno
groman
istudens
ivassile
iweiss
janstey
jcantril
jclere
jkoehler
jsamir
jscholz
kaycoth
kgaikwad
kvanderr
lphiri
mbenjamin
mhackett
michael.h.hall-1
mnovotny
mosmerov
msvehla
nipatil
nwallace
oezr
pantinor
parichar
pberan
pbizzarr
pdelbell
pesilva
pjindal
plodge
pmackay
rbryant
rkubis
rmaucher
rojacob
rstancel
rstepani
sausingh
smaestri
sostapov
swoodman
szappis
tasato
tcunning
tom.jenkinson
vereddy
weaton
yfang