2457319 – (CVE-2026-34477) CVE-2026-34477 org.apache.logging.log4j/log4j-core: Apache Log4j Core: Man-in-the-middle attack due to incomplete hostname verification

Bug 2457319 (CVE-2026-34477) - CVE-2026-34477 org.apache.logging.log4j/log4j-core: Apache Log4j Core: Man-in-the-middle attack due to incomplete hostname verification

Summary: CVE-2026-34477 org.apache.logging.log4j/log4j-core: Apache Log4j Core: Man-in...

Keywords:
Status:	NEW
Alias:	CVE-2026-34477
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2457904 2457907 2457908 2457903 2457905 2457906
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-10 16:02 UTC by OSIDB Bzimport
Modified:	2026-04-13 16:41 UTC (History)
CC List:	67 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-10 16:02:01 UTC

The fix for  CVE-2025-68161 https://logging.apache.org/security.html#CVE-2025-68161  was incomplete: it addressed hostname verification only when enabled via the  log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName  system property, but not when configured through the  verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName  attribute of the <Ssl> element.

Although the verifyHostName configuration attribute was introduced in Log4j Core 2.12.0, it was silently ignored in all versions through 2.25.3, leaving TLS connections vulnerable to interception regardless of the configured value.

A network-based attacker may be able to perform a man-in-the-middle attack when all of the following conditions are met:

  *  An SMTP, Socket, or Syslog appender is in use.
  *  TLS is configured via a nested <Ssl> element.
  *  The attacker can present a certificate issued by a CA trusted by the appender's configured trust store, or by the default Java trust store if none is configured.
This issue does not affect users of the HTTP appender, which uses a separate  verifyHostname https://logging.apache.org/log4j/2.x/manual/appenders/network.html#HttpAppender-attr-verifyHostName  attribute that was not subject to this bug and verifies host names by default.

Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.

Note You need to log in before you can comment on or make changes to this bug.

abrianik
alinfoot
aprice
asoldano
ataylor
bbaranow
bbrownin
bmaxwell
bstansbe
caswilli
chfoley
csutherl
dbruscin
dlofthou
drosa
dsoumis
dtrifiro
ewittman
fmariani
ggrzybek
gmalinko
istudens
ivassile
iweiss
janstey
jclere
jkoehler
jraez
jsamir
kaycoth
kgaikwad
kvanderr
lphiri
mnovotny
mosmerov
mstipich
msvehla
nipatil
nwallace
oezr
pantinor
parichar
pberan
pbizzarr
pdelbell
pesilva
pjindal
plodge
pmackay
rbryant
rexwhite
rgodfrey
rkubis
rmaucher
rstancel
rstepani
sausingh
smaestri
sthirugn
swoodman
szappis
tasato
tcunning
thjenkin
vdosoudi
weaton
yfang