Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1
The product does not validate, or incorrectly validates, a certificate.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Log4j | Apache | 2.0 (including) | 2.3.2 (excluding) |
| Log4j | Apache | 2.4 (including) | 2.12.3 (excluding) |
| Log4j | Apache | 2.13.0 (including) | 2.13.2 (excluding) |
| AMQ Clients 2.y for RHEL 6 | RedHat | qpid-cpp-0:1.36.0-31.el6_10amq | * |
| AMQ Clients 2.y for RHEL 6 | RedHat | qpid-proton-0:0.32.0-1.el6_10 | * |
| AMQ Clients 2.y for RHEL 7 | RedHat | qpid-cpp-0:1.36.0-31.el7amq | * |
| AMQ Clients 2.y for RHEL 7 | RedHat | qpid-proton-0:0.32.0-2.el7 | * |
| AMQ Clients 2.y for RHEL 8 | RedHat | nodejs-rhea-0:1.0.24-1.el8 | * |
| AMQ Clients 2.y for RHEL 8 | RedHat | qpid-proton-0:0.32.0-2.el8 | * |
| Red Hat Data Grid | RedHat | log4j-core | * |
| Red Hat Data Grid 7.3.7 | RedHat | log4j | * |
| Red Hat Fuse 7.10 | RedHat | log4j-core | * |
| Red Hat Fuse 7.8.0 | RedHat | log4j | * |
| Red Hat JBoss Data Virtualization 6.4.8.SP1 | RedHat | * | |
| Red Hat JBoss Data Virtualization 6.4.8.SP2 | RedHat | * | |
| RHDM 7.10.0 | RedHat | log4j-core | * |
| RHPAM 7.10.1 | RedHat | log4j-core | * |
| Text-Only RHOAR | RedHat | log4j | * |
| Text-Only RHOAR | RedHat | log4j-core | * |
| Apache-log4j2 | Ubuntu | bionic | * |
| Apache-log4j2 | Ubuntu | eoan | * |
| Apache-log4j2 | Ubuntu | esm-infra/xenial | * |
| Apache-log4j2 | Ubuntu | focal | * |
| Apache-log4j2 | Ubuntu | groovy | * |
| Apache-log4j2 | Ubuntu | trusty | * |
| Apache-log4j2 | Ubuntu | upstream | * |
| Apache-log4j2 | Ubuntu | xenial | * |