Description
The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName configuration attribute or the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property is set to true.

This issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following conditions:

* The attacker is able to intercept or redirect network traffic between the client and the log receiver.
* The attacker can present a server certificate issued by a certification authority trusted by the Socket Appender’s configured trust store (or by the default Java trust store if no custom trust store is configured).


Users are advised to upgrade to Apache Log4j Core version 2.25.3, which addresses this issue.

As an alternative mitigation, the Socket Appender may be configured to use a private or restricted trust root to limit the set of trusted certificates.
Published: 2025-12-18
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Man-in-the-Middle Log Interception
Action: Patch Now
AI Analysis

Impact

The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when explicit verification attributes or system properties are enabled. As a result, an attacker who can intercept or redirect network traffic between the client and the log receiver can present a server certificate issued by a certificate authority trusted by the Socket Appender's trust store, and the stack will accept it without confirming the hostname. This allows the attacker to intercept, modify, or redirect log traffic, compromising confidentiality and integrity of log data. The flaw is an instance of missing hostname verification (CWE‑295) and certificate validation error (CWE‑297).

Affected Systems

Affected software is the Apache Log4j Core library. Versions 2.0-beta9 to 2.25.2 inclusive are vulnerable. All deployments that use the Socket Appender to send logs via TLS over the network, whether they rely on the default Java trust store or a custom one, are impacted. No versions beyond 2.25.2 contain the fix.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate threat level. The EPSS score is below 1%, suggesting a low probability that the vulnerability will be actively exploited, and it is not listed in CISA's KEV catalog. However, the conditions required for exploitation—an attacker who can intercept the network flow—are plausible in many environments. The vulnerability is exploitable only when a trusted CA certificate can be presented to the Log4j Socket Appender, so it is most relevant to systems that connect to third‑party log collectors over TLS without restricting the trust store. Organizations should treat this as a low‑to‑moderate risk depending on exposure.

Generated by OpenCVE AI on April 20, 2026 at 17:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Log4j Core to version 2.25.3, which includes the hostname verification fix.
  • If an upgrade is not immediately possible, configure the Socket Appender to use a private or restricted trust root that includes only known, trusted certificates, thereby limiting the attacker’s ability to present a valid certificate.
  • Verify that the Socket Appender’s configuration for verifyHostName is set to true; although the issue persists in affected versions, ensuring this setting is correct prepares the configuration for future upgrades.

Generated by OpenCVE AI on April 20, 2026 at 17:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4444-1 apache-log4j2 security update
Github GHSA Github GHSA GHSA-vc5p-v9hr-52mj Apache Log4j does not verify the TLS hostname in its Socket Appender
History

Tue, 20 Jan 2026 01:30:00 +0000

Type Values Removed Values Added
References

Mon, 12 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-295
CPEs cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:log4j:2.0:-:*:*:*:*:*:*
cpe:2.3:a:apache:log4j:2.0:beta9:*:*:*:*:*:*
cpe:2.3:a:apache:log4j:2.0:rc1-rc1:*:*:*:*:*:*
cpe:2.3:a:apache:log4j:2.0:rc1:*:*:*:*:*:*
cpe:2.3:a:apache:log4j:2.0:rc2:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

 cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Fri, 09 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

threat_severity

Moderate

Fri, 19 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache log4j
Vendors & Products Apache
Apache log4j

Thu, 18 Dec 2025 22:30:00 +0000

Type Values Removed Values Added
References

Thu, 18 Dec 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 21:00:00 +0000

Type Values Removed Values Added
Description The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName configuration attribute or the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property is set to true. This issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following conditions: * The attacker is able to intercept or redirect network traffic between the client and the log receiver. * The attacker can present a server certificate issued by a certification authority trusted by the Socket Appender’s configured trust store (or by the default Java trust store if no custom trust store is configured). Users are advised to upgrade to Apache Log4j Core version 2.25.3, which addresses this issue. As an alternative mitigation, the Socket Appender may be configured to use a private or restricted trust root to limit the set of trusted certificates.
Title Apache Log4j Core: Missing TLS hostname verification in Socket appender
Weaknesses CWE-297
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N'}

Subscriptions

Apache Log4j
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-10T16:18:50.424Z

Reserved: 2025-12-16T11:30:53.875Z

Link: CVE-2025-68161

cve-icon Vulnrichment

Updated: 2026-01-20T00:13:44.911Z

cve-icon NVD

Status : Modified

Published: 2025-12-18T21:15:57.960

Modified: 2026-01-20T01:15:55.067

Link: CVE-2025-68161

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-12-18T20:47:49Z

Links: CVE-2025-68161 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T17:45:12Z

Weaknesses