You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@logging.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2021/12/18 23:03:00 UTC

[jira] [Commented] (LOG4J2-2819) Add support for specifying an SSL configuration for SmtpAppender

    [ https://issues.apache.org/jira/browse/LOG4J2-2819?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17462029#comment-17462029 ] 

ASF subversion and git services commented on LOG4J2-2819:
---------------------------------------------------------

Commit bb94ea9fa921a61f90b6a934600567e719419ddd in logging-log4j2's branch refs/heads/log4j-2.12 from Ralph Goers
[ https://gitbox.apache.org/repos/asf?p=logging-log4j2.git;h=bb94ea9 ]

LOG4J2-2819 - Add support for specifying an SSL configuration for SmtpAppender.


> Add support for specifying an SSL configuration for SmtpAppender
> ----------------------------------------------------------------
>
>                 Key: LOG4J2-2819
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-2819
>             Project: Log4j 2
>          Issue Type: Improvement
>          Components: Appenders
>    Affects Versions: 2.13.1
>            Reporter: Matt Sicker
>            Assignee: Matt Sicker
>            Priority: Major
>             Fix For: 2.13.2
>
>
> The SmtpAppender should be able to use an SSL configuration element to specify a trust store, host name verification, and a key store, so that smtps connections can be further configured. This should re-use the same {{<SSL/>}} configuration element that's used elsewhere like HttpAppender.
> h2. CVE-2020-9488
> The SmtpAppender did not verify the host name matched the SSL/TLS certificate of an SMTPS connection which could allow an attacker with man-in-the-middle access to intercept log messages sent through SMTPS.
> h3. Mitigation
> Upgrade to 2.13.2 which supports this feature. Previous versions can set the system property {{mail.smtp.ssl.checkserveridentity}} to {{true}} to globally enable hostname verification for SMTPS connections.
> h3. Details
> CWE: 297
> CVSS: 3.7 (Low) CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
> Reporter: Peter Stöckli <pe...@alphabot.com>



--
This message was sent by Atlassian Jira
(v8.20.1#820001)