You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@logging.apache.org by "Ralph Goers (Jira)" <ji...@apache.org> on 2020/06/18 22:26:00 UTC
[jira] [Comment Edited] (LOG4J2-2819) Add support for specifying an
SSL configuration for SmtpAppender
[ https://issues.apache.org/jira/browse/LOG4J2-2819?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17140025#comment-17140025 ]
Ralph Goers edited comment on LOG4J2-2819 at 6/18/20, 10:25 PM:
----------------------------------------------------------------
Log4j 1.2 does not support configuring any SSL/TLS information just for the SmtpAppender. It can only use the properties configured for the JVM. There will be no patch for Log4j 1.2 since it is EOL. So, to be clear, yes Log4j 1.2 has the same issue but this Jira issue is targeted at Log4j 2.
I believe the Log4j team has said we will not be providing patches for Log4j 2.3 (Java 6) but we are open to providing patches for Java 7.
If Maven requires a version of Log4j compatible with Java 7 that includes this patch then we will have to create one.
was (Author: ralph.goers@dslextreme.com):
Log4j 1.2 does not support configuring any SSL/TLS information just for the SmtpAppender. It can only use the properties configured for the JVM. There will be no patch for Log4j 1.2 since it is EOL.
I believe the Log4j team has said we will not be providing patches for Log4j 2.3 (Java 6) but we are open to providing patches for Java 7.
If Maven requires a version of Log4j compatible with Java 7 that includes this patch then we will have to create one.
> Add support for specifying an SSL configuration for SmtpAppender
> ----------------------------------------------------------------
>
> Key: LOG4J2-2819
> URL: https://issues.apache.org/jira/browse/LOG4J2-2819
> Project: Log4j 2
> Issue Type: Improvement
> Components: Appenders
> Affects Versions: 2.13.1
> Reporter: Matt Sicker
> Assignee: Matt Sicker
> Priority: Major
> Fix For: 2.13.2
>
>
> The SmtpAppender should be able to use an SSL configuration element to specify a trust store, host name verification, and a key store, so that smtps connections can be further configured. This should re-use the same {{<SSL/>}} configuration element that's used elsewhere like HttpAppender.
> h2. CVE-2020-9488
> The SmtpAppender did not verify the host name matched the SSL/TLS certificate of an SMTPS connection which could allow an attacker with man-in-the-middle access to intercept log messages sent through SMTPS.
> h3. Mitigation
> Upgrade to 2.13.2 which supports this feature. Previous versions can set the system property {{mail.smtp.ssl.checkserveridentity}} to {{true}} to globally enable hostname verification for SMTPS connections.
> h3. Details
> CWE: 297
> CVSS: 3.7 (Low) CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
> Reporter: Peter Stöckli <pe...@alphabot.com>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)