CVE-2026-34477

描述

The fix for CVE-2025-68161 was incomplete: it addressed hostname verification only when enabled via the [`log4j2.sslVerifyHostName`](https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName) system property, but not when configured through the [`verifyHostName`](https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName) attribute of the `<Ssl>` element. Although the `verifyHostName` configuration attribute was introduced in Log4j Core 2.12.0, it was silently ignored in all versions through 2.25.3, leaving TLS connections vulnerable to interception regardless of the configured value. A network-based attacker may be able to perform a man-in-the-middle attack when all of the following conditions are met: * An SMTP, Socket, or Syslog appender is in use. * TLS is configured via a nested <Ssl> element. * The attacker can present a certificate issued by a CA trusted by the appender's configured trust store, or by the default Java trust store if none is configured. This issue does not affect users of the HTTP appender, which uses a separate [`verifyHostname`](https://logging.apache.org/log4j/2.x/manual/appenders/network.html#HttpAppender-attr-verifyHostName) attribute that was not subject to this bug and verifies host names by default. Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.

受影響套件(1)

• Maven/org.apache.logging.log4j:log4j-core>= 2.12.0, < 2.25.4

CVSS 分數

參考連結(7)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-34477
• PATCHhttps://github.com/apache/logging-log4j2
• WEBhttps://github.com/apache/logging-log4j2/pull/4075
• WEBhttps://lists.apache.org/thread/lkx8cl46t2bvkcwfcb2pd43ygc097lq4
• WEBhttps://logging.apache.org/cyclonedx/vdr.xml
• WEBhttps://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName
• WEBhttps://logging.apache.org/security.html#CVE-2026-34477