You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@logging.apache.org by "sriram subramanian (Jira)" <ji...@apache.org> on 2020/10/05 18:41:00 UTC
[jira] [Commented] (LOG4J2-2819) Add support for specifying an SSL
configuration for SmtpAppender
[ https://issues.apache.org/jira/browse/LOG4J2-2819?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17208253#comment-17208253 ]
sriram subramanian commented on LOG4J2-2819:
--------------------------------------------
Hi Team.
Do we have a Java 7 compatible version that has a fix for this vulnerability: CVE-2020-9488 ? We are currently using log4 1.x bridge and the highest we could upgrade was *2.12.1*, because of Java 7. Thank you.
> Add support for specifying an SSL configuration for SmtpAppender
> ----------------------------------------------------------------
>
> Key: LOG4J2-2819
> URL: https://issues.apache.org/jira/browse/LOG4J2-2819
> Project: Log4j 2
> Issue Type: Improvement
> Components: Appenders
> Affects Versions: 2.13.1
> Reporter: Matt Sicker
> Assignee: Matt Sicker
> Priority: Major
> Fix For: 2.13.2
>
>
> The SmtpAppender should be able to use an SSL configuration element to specify a trust store, host name verification, and a key store, so that smtps connections can be further configured. This should re-use the same {{<SSL/>}} configuration element that's used elsewhere like HttpAppender.
> h2. CVE-2020-9488
> The SmtpAppender did not verify the host name matched the SSL/TLS certificate of an SMTPS connection which could allow an attacker with man-in-the-middle access to intercept log messages sent through SMTPS.
> h3. Mitigation
> Upgrade to 2.13.2 which supports this feature. Previous versions can set the system property {{mail.smtp.ssl.checkserveridentity}} to {{true}} to globally enable hostname verification for SMTPS connections.
> h3. Details
> CWE: 297
> CVSS: 3.7 (Low) CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
> Reporter: Peter Stöckli <pe...@alphabot.com>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)