Headline
CVE-2020-9488: [LOG4J2-2819] Add support for specifying an SSL configuration for SmtpAppender
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.
The SmtpAppender should be able to use an SSL configuration element to specify a trust store, host name verification, and a key store, so that smtps connections can be further configured. This should re-use the same <SSL/> configuration element that’s used elsewhere like HttpAppender.
CVE-2020-9488
The SmtpAppender did not verify the host name matched the SSL/TLS certificate of an SMTPS connection which could allow an attacker with man-in-the-middle access to intercept log messages sent through SMTPS.
Mitigation
Upgrade to 2.13.2 which supports this feature. Previous versions can set the system property mail.smtp.ssl.checkserveridentity to true to globally enable hostname verification for SMTPS connections.
Details
CWE: 297
CVSS: 3.7 (Low) CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Reporter: Peter Stöckli [email protected]