Description
The fix for CVE-2025-68161 https://logging.apache.org/security.html#CVE-2025-68161 was incomplete: it addressed hostname verification only when enabled via the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property, but not when configured through the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName attribute of the <Ssl> element.

Although the verifyHostName configuration attribute was introduced in Log4j Core 2.12.0, it was silently ignored in all versions through 2.25.3, leaving TLS connections vulnerable to interception regardless of the configured value.

A network-based attacker may be able to perform a man-in-the-middle attack when all of the following conditions are met:

* An SMTP, Socket, or Syslog appender is in use.
* TLS is configured via a nested <Ssl> element.
* The attacker can present a certificate issued by a CA trusted by the appender's configured trust store, or by the default Java trust store if none is configured.
This issue does not affect users of the HTTP appender, which uses a separate verifyHostname https://logging.apache.org/log4j/2.x/manual/appenders/network.html#HttpAppender-attr-verifyHostName attribute that was not subject to this bug and verifies host names by default.

Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.
Published: 2026-04-10
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Hostname verification bypass, allowing man‑in‑the‑middle attacks on TLS connections
Action: Patch Now
AI Analysis

Impact

A silent ignore of the verifyHostName attribute in Log4j Core’s <Ssl> configuration enables an attacker to bypass TLS hostname verification, effectively turning a secure connection into a Trojan horse. This weakness can allow the interception and manipulation of log transmission, exposing sensitive logging data and enabling further compromise. The flaw is rooted in CWE‑295 (Improper Authentication) and CWE‑297 (Improper Verification of Cryptographic Parameters).

Affected Systems

Apache Log4j Core versions 2.12.0 through 2.25.3 are impacted, specifically when an SMTP, Socket, or Syslog appender is used and TLS is configured via a nested <Ssl> element. The HTTP appender is not affected because it uses a distinct verifyHostname attribute that behaves correctly.

Risk and Exploitability

The CVSS score of 6.3 reflects a moderate severity, but the EPSS score is below 1% and the vulnerability is not listed in the CISA KEV catalog, indicating a lower likelihood of widespread exploitation. Nevertheless, a network‑based attacker who can present a certificate trusted by the application’s trust store, or the default Java trust store, can meet the conditions and mount a man‑in‑the‑middle attack. The attack requires the presence of a vulnerable appender and an adjacent TLS layer that does not enforce hostname validation. While not immediately exploitable in all environments, the potential impact on confidentiality warrants prompt attention.

Generated by OpenCVE AI on April 14, 2026 at 01:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to Apache Log4j Core 2.25.4 or later, which fixes the verifyHostName handling bug.
  • Verify that the verifyHostName attribute is set to true in any remaining <Ssl> configurations, or use the system property log4j2.sslVerifyHostName to enforce hostname checks.
  • If an upgrade is not immediately possible, configure appenders to avoid TLS via <Ssl> or switch to the HttpAppender, which correctly verifies host names by default.
  • Review the trust store used by the application to ensure it does not contain untrusted CA certificates that could be presented by an attacker.

Generated by OpenCVE AI on April 14, 2026 at 01:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6hg6-v5c8-fphq Apache Log4j Core: `verifyHostName` attribute silently ignored in TLS configuration
History

Tue, 14 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-295
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N'}

threat_severity

Moderate

Fri, 10 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Description The fix for CVE-2025-68161 https://logging.apache.org/security.html#CVE-2025-68161 was incomplete: it addressed hostname verification only when enabled via the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property, but not when configured through the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName attribute of the <Ssl> element. Although the verifyHostName configuration attribute was introduced in Log4j Core 2.12.0, it was silently ignored in all versions through 2.25.3, leaving TLS connections vulnerable to interception regardless of the configured value. A network-based attacker may be able to perform a man-in-the-middle attack when all of the following conditions are met: * An SMTP, Socket, or Syslog appender is in use. * TLS is configured via a nested <Ssl> element. * The attacker can present a certificate issued by a CA trusted by the appender's configured trust store, or by the default Java trust store if none is configured. This issue does not affect users of the HTTP appender, which uses a separate verifyHostname https://logging.apache.org/log4j/2.x/manual/appenders/network.html#HttpAppender-attr-verifyHostName attribute that was not subject to this bug and verifies host names by default. Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.
Title Apache Log4j Core: verifyHostName attribute silently ignored in TLS configuration, allowing hostname verification bypass
First Time appeared Apache
Apache log4j
Weaknesses CWE-297
CPEs cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*
Vendors & Products Apache
Apache log4j
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N'}

Subscriptions

Apache Log4j
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-10T17:38:57.154Z

Reserved: 2026-03-28T11:26:04.052Z

Link: CVE-2026-34477

cve-icon Vulnrichment

Updated: 2026-04-10T17:38:37.230Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-10T16:16:30.843

Modified: 2026-04-13T15:02:06.187

Link: CVE-2026-34477

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-10T15:36:19Z

Links: CVE-2026-34477 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:36:28Z

Weaknesses